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FOURTH IN A SERIES OF 
SUBCOMMITTEE HEARINGS ON 
SOCIAL SECURITY NUMBER HIGH-RISK ISSUES 


THURSDAY, MARCH 16, 2006 

U.S. House of Representatives, 

Committee on Ways and Means, 
Subcommittee on Social Security, 

Washington, DC. 

The Subcommittee met, pursuant to notice, at 10:03 a.m., in 
room B-318, Rayburn House Office Building, Hon. Jim McCrery 
(Chairman of the Subcommittee) presiding. 

[The advisory announcing the hearing follows:] 


( 1 ) 
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ADVISORY 

FROM THE COMMITTEE ON WAYS AND MEANS 

SUBCOMMITTEE ON SOCIAL SECURITY 

FOR IMMEDIATE RE T, EA SE CONTACT: (202) 225-9263 

March 8, 2006 

SS-13 


McCrery Announces Fourth in a 
Series of Subcommittee Hearings on 
Social Security Number High-Risk Issues 

Congressman Jim McCrery, (R-LA), Chairman, Subcommittee on Social Security 
of the Committee on Ways and Means, today announced that the Subcommittee will 
hold the fourth in a series of Subcommittee hearings on Social Security number 
(SSN) high-risk issues. The hearing will examine expanding uses of the SSN card 
and measures to prevent SSN card fraud. The hearing will take place on Thurs- 
day, March 16, 2006, in room B-318 Rayburn House Office Building, begin- 
ning at 10:00 a.m. 

In view of the limited time available to hear witnesses, oral testimony at this 
hearing will be from invited witnesses only. However, any individual or organization 
not scheduled for an oral appearance may submit a written statement for consider- 
ation by the Committee and for inclusion in the printed record of the hearing. 

BACKGROUND : 

The SSN was created in 1936 to record earnings and benefits for the Social Secu- 
rity program. The sole purpose of the SSN card was to show that an SSN had been 
issued to the named individual. Originally, the SSN card had no security features 
other than the individual’s signature. 

Within a decade, the SSN’s use grew beyond its original narrow purpose, and has 
continued to expand. According to the Social Security Administration (SSA), the 
SSN is now the single most widely-used record identifier for both the government 
and the private sectors. 

As with the SSN, the SSN card’s uses also have expanded over the decades. Cur- 
rently, one of its most important roles is in work authorization. The U.S. Depart- 
ment of Homeland Security requires employers to document the identity and em- 
ployment eligibility of their new hires. For U.S. citizens and some non-citizens, em- 
ployers may accept the SSN card as proof of a person’s eligibility to work in the 
United States. 

As the uses of the SSN and the SSN card have increased, security features have 
been added to the SSN card to prevent its fraudulent duplication or alteration. For 
example, legislation enacted in the early 1980s required specific changes to the SSN 
card, and the Intelligence Reform and Terrorism Prevention Act of 2004 (P.L. 108- 
458) requires that standards be established and implemented to safeguard SSN 
cards from counterfeiting, tampering, alteration, and theft. However, the SSA does 
not replace all existing SSN cards when a new SSN card design is adopted, due to 
workload concerns and the potential burden on the public. As a result, since 1936, 
the SSA has issued more than 433 million SSNs, with about 50 different versions 
of the SSN card — all of which are still valid. 

Despite its adoption for other purposes, the SSN card by itself is not a personal 
identity document. The SSN card does not contain information that would confirm 
that the person presenting the card is actually the person whose name and SSN ap- 
pear on the card. Several bills introduced in the 109th Congress would mandate sig- 
nificant changes to the card for that purpose. For example, one proposal would en- 
hance the security features in the SSN card as part of a package of changes to the 
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process of confirming the identity and work eligibility of new hires. However, ideas 
such as adding photographs, machine-readable electronic strips, and other features 
to SSN cards have raised concerns about the future purpose of the card. Some have 
expressed concerns that SSN card may evolve into a form of national identification. 

In announcing the hearing. Chairman McCrery stated, “Because of the expanding 
use of SSNs and SSN cards, they are often transformed into tools to gain illegal 
employment and perpetrate identity theft and other crimes. We need a thorough ex- 
amination of the appropriateness of using SSNs in certain roles. It is equally impor- 
tant for us to examine the potential impact on individual’s security and privacy that 
could result from changes to the design of the SSN card.” 

FOCUS OF THE HEARING : 

The Subcommittee will examine the history of SSNs and SSN card use, the role 
of the SSN card in work authorization, measures to prevent SSN card fraud, and 
the potential effects of transforming the SSN card into an identification document. 

DETATT,S FOR SUBMISSION OF WRITTEN COMMENTS: 

Please Note: Any person(s) and/or organization(s) wishing to submit for the hear- 
ing record must follow the appropriate link on the hearing page of the Committee 
website and complete the informational forms. From the Committee homepage, 
http:llwaysandmeans.house.gov, select “109th Congress” from the menu entitled, 
“Hearing Archives” {http://waysandmeans.house.gov/Hearings.asp?congress=17). Se- 
lect the hearing for which you would like to submit, and click on the link entitled, 
“Click here to provide a submission for the record.” Once you have followed the on- 
line instructions, completing all informational forms and clicking “submit” on the 
final page, an email will be sent to the address which you supply confirming your 
interest in providing a submission for the record. You MUST REPLY to the email 
and ATTACH your submission as a Word or WordPerfect document, in compliance 
with the formatting requirements listed below, by close of business Thursday, March 
30, 2006. Finally, please note that due to the change in House mail policy, the U.S. 
Capitol Police will refuse sealed-package deliveries to all House Office Buildings. 
For questions, or if you encounter technical problems, please call (202) 225-1721. 

FORMATTING REQUIREMENTS : 

The Committee relies on electronic submissions for printing the official hearing record. As al- 
ways, submissions will be included in the record according to the discretion of the Committee. 
The Committee will not alter the content of your submission, but we reserve the right to format 
it according to our guidelines. Any submission provided to the Committee by a witness, any sup- 
plementary materials submitted for the printed record, and any written comments in response 
to a request for written comments must conform to the guidelines listed below. Any submission 
or supplementary item not in compliance with these guidelines will not be printed, but will be 
maintained in the Committee files for review and use by the Committee. 

1. All submissions and supplementary materials must be provided in Word or WordPerfect 
format and MUST NOT exceed a total of 10 pages, including attachments. Witnesses and sub- 
mitters are advised that the Committee relies on electronic submissions for printing the official 
hearing record. 

2. Copies of whole documents submitted as exhibit material will not be accepted for printing. 
Instead, exhibit material should be referenced and quoted or paraphrased. All exhibit material 
not meeting these specifications will be maintained in the Committee files for review and use 
by the Committee. 

3. All submissions must include a list of all clients, persons, and/or organizations on whose 
behalf the witness appears. A supplemental sheet must accompany each submission listing the 
name, company, address, telephone and fax numbers of each witness. 

Note: All Committee advisories and news releases are available on the World 
Wide Web at http:llwaysandmeans.house.gov . 

The Committee seeks to make its facilities accessible to persons with disabilities. 
If you are in need of special accommodations, please call 202-225-1721 or 202-226- 
3411 TTD/TTY in advance of the event (four business days notice is requested). 
Questions with regard to special accommodation needs in general (including avail- 
ability of Committee materials in alternative formats) may be directed to the Com- 
mittee as noted above. 
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Chairman MCCRERY. The hearing will come to order. Good 
morning, and welcome to our fourth in a series of hearings on high 
risk issues related to Social Security numbers (SSNs). Today, we 
will examine the expanding uses of the SSN and options to prevent 
fraud involving SSN cards, and in the interests of time, because we 
are going to have votes coming up pretty soon, I am going to sub- 
mit the rest of my opening statement in writing for the record, and 
I would yield to my colleague, the Ranking Member, Mr. Levin. 

[The prepared statement of Chairman McCrery follows:] 

Opening Statement of The Honorable Jim MeCrery, Chairman, and a 
Representative in Congress from the State of Louisiana 

Good morning and welcome to our fourth in a series of hearings on high-risk 
issues related to Social Security numbers, or SSNs. Today, well examine the ex- 
panding uses of the SSN and options to prevent fraud involving SSN cards. 

Much of our discussion at this hearing will focus on the use of the SSN and SSN 
card in employment. Current law requires employers to verify the identity and em- 
ployment eligibility of new hires. Employers may accept an SSN card as one of sev- 
eral documents that a person may present as proof of employment eligibility, if the 
card does not bear either of two legends: “Not Valid for Employment” or “Valid for 
Work Only with DHS Authorization.” 

After examining a new hire’s documents; the employer must accept them, if the 
documents reasonably appear to be genuine and belong to the worker. If an em- 
ployee uses an SSN card to prove work authorization, he or she must provide an- 
other document to prove his or her identity, such as a driver’s license. 

To simplify the process for employers and prevent unauthorized work, some legis- 
lators have proposed making the SSN card the single, counterfeit and tamper-resist- 
ant document employers would be required to see, replacing all the others. The SSN 
card would be modified to contain proof of identity. Employers would use it to access 
a government database to verify employment eligibility. 

Such a change would greatly expand the role of the SSN card in work authoriza- 
tion, and it raises a number of essential questions that I hope we will address today. 

Eirst, how confident can we be that a particular SSN was issued based on accu- 
rate information? The answer, as we have learned from previous hearings, depends 
on when the SSN card was issued. It wasn’t until 1978 that all SSN applicants were 
required to provide proof of their identity, age, and citizen or non-citizen status. Be- 
fore 2002, the Social Security Administration did not consistently verify birth certifi- 
cates or immigration documents with the issuing agency. 

Adding new security features to the SSN card today will not assure the accuracy 
of the data originally used to issue an SSN. To raise the level of accuracy, all SSN 
cardholders in the workforce would have to apply for new cards and provide full doc- 
umentation of their identity, citizen or non-citizen status, and age. What would this 
cost? What impact would this have on the Social Security Administration? 

Second, what are the options for designing a counterfeit and tamper-resistant 
SSN card? As required by the Intelligence Reform and Terrorism Prevention Act of 
2004, the Social Security Administration is working with the Department of Home- 
land Security to improve the security of SSNs and SSN cards and implement such 
improvements by June 2006. It is important to establish the range of options for 
a counterfeit and tamper-resistant card, the costs of the options, whether the op- 
tions will work, as well as non-SSN card options to verify identity and work author- 
ization. 

Third, what are the ramifications of transforming the SSN card into an identity 
card? Currently, the SSN card serves only to show that an SSN was assigned to 
the individual named on the card. It does not contain features to prove that the 
cardholder is the individual named on the card. 

Changing the SSN card into an ID could encourage its use for other purposes, 
given the widespread use of the SSN itself in many personal and financial trans- 
actions. Adding identification features to the SSN card could duplicate efforts al- 
ready underway to provide secure identity documentation — such as improved driv- 
er’s licenses and State-issued ID cards called for under the REAL ID Act. 

Finally, we must be mindful to examine these issues in a greater context. For ex- 
ample, if employers are ultimately required to verify SSNs and employment eligi- 
bility through a government database (as required under some proposals), then em- 
ployers may only need proof of the worker’s identity. The database could confirm 
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the person’s SSN and emplojnnent eligibility without the need for an enhanced SSN 
card. 

I look forward to hearing the testimony and recommendations of our witnesses 
and welcome the views of my colleagues on these complex issues. I believe that it 
is our responsibility as legislators to work for a balanced, thoughtful approach — one 
that will deter unauthorized employment without placing undue burdens on busi- 
nesses, while protecting the privacy of our fellow Americans. 


Mr. LEVIN. I will do likewise, so we can hear your testimony 
and have an hour to think about it. 

[Laughter.] 

Mr. LEVIN. Thank you. 

[The prepared statement of Mr. Levin follows:] 

Opening Statement of The Honorable Sander M. Levin, a Representative in 
Congress from the State of Michigan 

Today our Subcommittee has the opportunity to examine two issues — our ongoing, 
non-controversial effort to ensure that Social Security cards are not counterfeited, 
and the more controversial debate about whether it is appropriate to make the So- 
cial Security card into a national identification card. 

These are issues squarely within the jurisdiction of the Ways & Means Com- 
mittee. I am pleased that the Chairman has provided this opportunity for us to dis- 
cuss them and to learn more about the proposals and the issues from our colleagues 
and a panel of experts. 

As the Committee of jurisdiction, it is also our responsibility to oversee the efforts 
already underway. As required by the Intelligence Reform and Terrorism Prevention 
Act of 2004, the Social Security Administration and the Department of Homeland 
Security are currently identifying options for making Social Security cards more se- 
cure, with the goal of implementing improvements by this June. Each option im- 
poses certain costs, both in dollars and in loss of personal privacy, so it is important 
for our Committee to weigh the costs and benefits and to keep in close touch with 
the agencies involved. 

I look forward to a frank and thoughtful discussion of these complex issues. 


Chairman MCCRERY. Thank you, Mr. Levin. We are also going 
to reverse the order of the panels this morning so that we can 
allow these gentlemen to get their testimony in and perhaps go 
through a few questions before votes are called, and then, the first 
panel, which consists of two of our colleagues, we will retrieve as 
we can and then finish the hearing, but that way, we will not have 
you all sitting around on your thumbs all morning. 

With that, I would introduce our first panel this morning: the 
Honorable Patrick O’Carroll, Inspector General, Social Security Ad- 
ministration (SSA), and he is accompanied this morning by Richard 
Outland, Branch Chief, Questioned Document Branch, Eorensic 
Services Division, U.S. Secret Service; and Mr. Erederick G. 
Streckewald, Assistant Deputy Commissioner, Disability Income 
Security Programs, the SSA; welcome back, both of you gentlemen; 
Stephen Kent, Chairman, Committee on Authentication Tech- 
nologies and their Privacy Implications, National Research Council, 
the National Academies; and Marc Rotenberg, President, Electronic 
Privacy Information Center. Welcome, all of you gentlemen, and we 
will begin with Mr. O’Carroll. 
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STATEMENT OF THE HONORABLE PATRICK O’CARROLL, IN- 
SPECTOR GENERAL, SOCIAL SECURITY ADMINISTRATION, 

ACCOMPANIED BY RICHARD OUTLAND, BRANCH CHIEF, 

QUESTIONED DOCUMENT BRANCH, FORENSIC SERVICES DI- 
VISION, U.S. SECRET SERVICE 

Mr. O’CARROLL. Good morning, Chairman McCrery, Congress- 
man Levin. Thank you for inviting me to be here today. I would 
like to focus on our investigative efforts with respect to SSN mis- 
use. 

With me today is Mr. Richard Outland, Assistant Chief, U.S. Se- 
cret Service, Forensic Services Division. Based on a longstanding 
interagency agreement, when our agents come across suspected 
counterfeited Social Security cards, they are referred to the Secret 
Service for further forensic examination. Mr. Outland is here today 
to answer any technical questions. 

No matter how carefully we protect the SSN, there will be those 
who find a way to turn the number to nefarious purposes, and 
when they do, our special agents will be there. Our statutory mis- 
sion is to protect the SSA’s programs and operations from fraud, 
and abuse. At the core of that mission is the protection of the So- 
cial Security Trust Funds that provide benefits to millions of Amer- 
icans every month. 

To that end, 79 percent of our cases we investigated last year 
were for program fraud. Still, we are ever mindful of our obligation 
to protect the SSN from misuse. In fact, 16 percent of our inves- 
tigations involved SSN misuse. 

To maximize our resources, we focus our overall SSN misuse en- 
ergies in cooperative efforts with other Federal, State, and local 
task forces. At last count, we were involved in almost 200 task 
forces and work groups across the country. For example, our agents 
on the Central Florida Identity Theft Task Force concluded a case 
last year in which they apprehended 15 members of an identity 
theft ring. They would obtain lists of individuals with good credit 
histories and use the personal information of those individuals to 
defraud a variety of commercial entities in the Orlando area. 
Twelve of the 15 individuals arrested were sentenced to prison, and 
all were ordered to repay more than $2 million to the victims. 

Our own internal caseload is no less daunting, and our solo work 
is equally impressive. We see allegations of SSN misuse in myriad 
forms every day. One such allegation from a SSA district office con- 
cerned a woman who was receiving disability benefits under two 
separate SSNs and insisted that she was one half of a set of iden- 
tical twins. Our investigators asked her to provide a copy of her 
birth certificate, while unbeknownst to her, we were obtaining one 
directly from the State Bureau of Vital Statistics. The one we ob- 
tained showed a single birth, and the altered one she produced had 
the same control number and signatures but showed a twin birth. 

Before we confronted her with the fact that we had uncovered 
her forgery, she had asked her Congressman to intervene on her 
behalf and demanded that her nonexistent twin’s benefits be rein- 
stated. We were only too happy to share the forged birth certificate 
with the Congressman. 

We see SSN misuse cases like this every day. What we see less 
frequently, however, are cases involving counterfeit Social Security 
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cards. While we take such cases very seriously and have recently 
disrupted several counterfeit identity operations, the reality is that 
the Social Security card serves as little more than a hard copy 
record of a number that we all memorize at an early age. 

While the SSN itself is necessary to obtain employment, to ob- 
tain a loan, and for countless other purposes, we rarely, if ever, are 
asked to show anyone our Social Security cards. The card was de- 
signed for a single purpose: to provide the holder with a number 
used to track earnings and pay benefits. 

While the uses of the number have expanded significantly over 
the decades, the uses of the card have remained more or less the 
same. There is no question that periodic security improvements to 
the card are necessary to stay one step ahead of tech savvy coun- 
terfeiters. As long as the use of the card remains as limited as it 
has been, it is difficult to justify the expense that would be in- 
curred in creating a “counterfeit card.” 

Of course, if Congress decides to expand the uses of the Social 
Security card, then, those expenses might become necessary. If this 
is Congress’ ultimate decision, we will do everything possible to 
work with you and the SSA to make the card as counterfeit-proof 
as possible. Until then, we will continue our audit and investigative 
efforts to combat SSN misuse and provide the SSA and Congress 
with timely and accurate information. 

Thank you, and if you have any questions, I will be happy to an- 
swer them. 

[The prepared statement of Mr. O’Carroll follows:] 

Statement of The Honorable Patrick P. O’Carroll, Inspector General, Social 

Security Administration; accompanied by Richard L. Outland, Assistant 

Branch Chief — Questioned Document Branch, Forensic Services Division, 

U.S. Secret Service 

Good morning, Chairman McCrery, Congressman Levin, and Members of the Sub- 
committee. This is our fourth hearing in this series on high-risk Social Security 
number (SSN) issues, and I applaud your efforts and dedication in giving these 
issues the attention they deserve. The SSN is a key to American life in many ways, 
and as we have seen throughout this series of hearings, its misuse has repercus- 
sions that cause a ripple effect across the American landscape. 

Much of my testimony in the first three hearings has centered on largely adminis- 
trative issues. At the first hearing, we discussed enumeration, the process by which 
the Social Security Administration (SSA) issues SSNs; at the second hearing, we 
discussed SSN misuse in the context of misreported wages, particularly by forei^- 
born workers without authorization to work in the United States; and, at the third 
hearing earlier this month, we discussed enumeration of foreign-born individuals 
and the payment of benefits to those born or residing abroad. 

Today, I would like to discuss our investigative efforts to combat SSN misuse in 
all forms. Our Office of Investigations (01) is dedicated to preventing and detecting 
fraud against SSA’s programs and operations, and SSN misuse is an important facet 
of that overall investigative effort. Obviously, with finite resources, and with many 
areas of responsibility, including program fraud, employee fraud, contract fraud, and 
others, we are mindful that our primary responsibility is to protect the Trust Funds 
that provide benefits to millions of Americans every month. At the same time, our 
responsibility to protect the integrity of the SSN cannot be overstated. We strive 
continuously to strike an appropriate balance. 

To give you some sense of how we strike that balance, consider that in Fiscal Year 
(FY) 2005, the Office of the Inspector General (OIG) received about 85,000 allega- 
tions of fraud, 84 percent of which involved fraud against a Social Security program, 
such as disability insurance benefits. Approximately 13 percent — almost 11,000 alle- 
gations — involved SSN misuse. It is important to understand that these SSN misuse 
allegations are limited to incidents of SSN misuse involving a Social Security pro- 
gram or otherwise directly related to the administration of the Social Security Act. 
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Allegations of pure identity theft, financial fraud, and other non-SSA-related crimes 
are referred to appropriate sources, and are not included in this total. 

Looking at actual investigations conducted during FY 2005, 01 opened approxi- 
mately 9,500 cases, of which 79 percent involved crimes against Social Security pro- 
grams, while just over 16 percent involved SSN misuse. Thus, while we actually in- 
vestigate a higher proportion of allegations in the SSN misuse category than in the 
program fraud category, we still invest more than four times more resources in pro- 
gram fraud than in SSN misuse. The results of an audit we will issue shortly, in 
which we provide an estimate of the rate of overpayments in Social Security’s dis- 
ability programs, underscores the importance of our emphasis on program fraud. 
Our statutory mission is to protect SSA programs and operations, and to the extent 
that an allegation of SSN misuse does not touch on those programs, our resources 
do not generally allow us to pursue it. 

We do, however, play a role in the overall government effort to protect against 
SSN misuse in a multijurisdictional context. Our affirmative and aggressive ap- 
proach to SSN misuse of this type is designed to maximize our resources through 
the effective use of task forces, workgroups, and other cooperative efforts. 

At this time, our investigators across the country are members of almost 200 task 
forces and workgroups in all ten of our field divisions. These groups, comprised of 
Federal, State, and local law enforcement agencies, pool resources and, when per- 
mitted, share information to accomplish more than each member could ever accom- 
plish on its own. The groups range from Joint Terrorism Task Forces run by United 
States Attorneys, to white collar crime groups, to financial fraud workgroups. 

The work done by these groups is astounding. For example, our agents on the 
Central Florida Identity Theft task force, a group comprised of ten law enforcement 
agencies, concluded a case last year in which they apprehended fifteen members of 
an identity fraud ring who would obtain lists of individuals with good credit his- 
tories, and use the personal information of those individuals to defraud a variety 
of commercial entities in the Orlando area. Twelve of the fifteen individuals ar- 
rested were sentenced to prison terms, and the total restitution ordered to victims 
exceeded $2 million. 

In another case, our New York Field Division, working on a task force with other 
agencies including the U.S. Secret Service, investigated the hijacking of a deceased 
Social Security beneficiary’s bank account. The complex investigation revealed that 
the subjects not only continued to receive the deceased woman’s benefits — totaling 
some $80,000 — but also used her bank account to launder counterfeit checks created 
with the help of a corrupt bank employee. They then went on to steal other SSNs 
and identities and open additional accounts, which they would use both to create 
additional fraudulent checks and to launder them. In all, they cashed about 
$300,000 in bad checks and opened credit card accounts from which they stole an- 
other $100,000. 

Since cases like this represent an opportunity to achieve a significant return with 
only minimal investment of resources — our agent in this ten-agency task force still 
maintains a “normal” caseload — we can afford to contribute substantially to the 
overall effort to stop SSNs being used as instruments of a crime. If each of the 200 
task forces in which we participate makes only a few cases like this each year, we 
are able to have a far greater effect than we could ever have working alone. 

However, our day-to-day program-related SSN misuse caseload is no less 
daunting, and our solo work is equally impressive. We see allegations of SSN misuse 
in its myriad forms come in every day by phone, fax, e-mail, and in electronic refer- 
rals from SSA employees. One such referral from an SSA District Office concerned 
a woman who was confronted by SSA with the fact that she appeared to be receiving 
disability benefits under two separate SSNs. Each set of benefits was going to the 
same name, the same address, and for the same disability, but under two different 
SSNs. The woman informed SSA, and subsequently our investigators, that she had 
a twin sister. Despite the fact that both sets of benefits were going to the same ad- 
dress, the woman alleged that she and her identical twin were estranged and did 
not speak. 

Our investigators obtained a copy of the woman’s birth certificate from the state 
vital records office. It showed that hers had been a single birth, not a twin birth. 
Additional investigation uncovered no other evidence that a twin had ever existed. 
Our investigators asked the woman to provide a copy of her birth certificate, and 
she eventually provided the same document we had obtained from the state without 
her knowledge. It had the same control number and the same signatures, but the 
altered copy she provided showed a twin birth. We recontacted the vital statistics 
office and confirmed that no official change had been made since we’d obtained our 
copy. The woman, unaware that we had her original birth certificate, continued to 
demand that her duplicate benefits be reinstated, even going so far as to write to 
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her Congressman to demand that he intercede on her behalf. We showed the Con- 
gressman the two versions of the birth certificate, and that ended the woman’s ill- 
conceived mission. 

In another case, our investigation revealed that a woman had been working full- 
time since 1978 under one SSN and receiving Title XVI disability payments since 
1973 under a second SSN. From 1978 until 2001, she worked full-time for various 
healthcare agencies while certif 3 dng each year to SSA that she was not working. In 
2001, the woman applied for Title II disability benefits under the first SSN, based 
on her extensive work history. A Title XVI claims representative recognized the 
woman during her appointment to apply for Title II benefits, and referred the case 
to OIG. She later admitted to OIG agents that she had been working for 23 years 
while receiving Title XVI payments. She eventually pled guilty to theft of govern- 
ment funds and making false statements, and was sentenced in May 2005 to 6 
months’ incarceration in federal prison, 6 months’ home detention with an electronic 
monitoring device, and 5 years’ probation, and was ordered to pay full restitution 
of $166,767. 

While SSN misuse cases like these are made by our investigators every day, we 
encounter cases involving counterfeit Social Security cards much less frequently. 
The practical reality is that most of us were issued our Social Security cards not 
long after we were born, and we long ago committed our SSNs to memory. But the 
cards themselves were probably placed in a drawer or box many years ago, and have 
rarely been seen or used since. Almost every entity imaginable, from government, 
to medical facilities and insurance carriers, to creditors, to employers and beyond 
may and often do ask for SSNs; but rarely, if ever, do they ask to see the card itself. 

Our work reviewing SSA’s automated employee verification services, such as the 
Social Security Number Verification Service (SSNVS), further underscores this re- 
ality. Employers seeking to confirm the SSN of a current or prospective employee 
need only take advantage of this service to go online and match the employee’s 
name, SSN, date of birth, and gender against SSA’s records — all without ever la 3 dng 
eyes on an actual Social Security card. Of course, for verification services such as 
SSNVS to be truly effective, we must be confident that the information in SSA’s 
databases is as accurate as possible, and our prior audit work has revealed that this 
may not always be the case. Nevertheless, SSNVS and other verification services 
even further minimize the need to carry or present the card. Indeed, today, the card 
is little more than a “hard copy” of a number that is already contained in various 
databases throughout society and government. This is consistent with the purpose 
for which the card was created 70 years ago, and while there should always he secu- 
rity enhancements made to stay one step ahead of tech-savvy counterfeiters, it 
would be hard to justify the expense involved in replacing all Social Security cards 
with “hard” cards as long as their utility remains as limited as it is. 

From time to time, there is talk of expanding the card’s use beyond its current 
functions, and obviously, this issue is one for Congress to debate. If a decision is 
made to transform the Social Security card into something more than it is, signifi- 
cant improvements may then have to made in the document. Moreover, it could cre- 
ate a significant new workload for SSA — one that might fall outside of the Agency’s 
current and historical function, or even further heighten the tension between service 
and integrity. 

Whatever Congress may determine is an appropriate role for the Social Security 
card to play, our office is happy to provide whatever audit and investigative work 
might prove helpful. In the interim, we will continue our tireless efforts to prevent 
and detect misuse of the Social Security number as well as the Social Security card 
itself 


Chairman MCCRERY. Thank you, Mr. O’Carroll. Mr. 
Streckewald. 

STATEMENT OF FREDERICK G. STRECKEWALD, ASSISTANT 
DEPUTY COMMISSIONER FOR PROGRAM POLICY, OFFICE OF 
DISABILITY AND INCOME SECURITY PROGRAMS, SOCIAL SE- 
CURITY ADMINISTRATION 

Mr. STRECKEWALD. Thank you, Mr. Chairman, Mr. Levin. 
Thank you for inviting me here today to discuss the SSA’s enu- 
meration process. This is the process used to assign a SSN to an 
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individual. This series of Subcommittee hearings highlights the im- 
portance of this core agency function. I will summarize my written 
statement and will ask that it be included for the record. 

The Social Security card was never intended and does not serve 
as a personal identification document; that is, the card does not es- 
tablish that the person presenting it is actually the person whose 
name and SSN appear on the card. Although the SSA has made 
many changes to make it counterfeit-resistant, the card does not 
contain information that would allow the card to be used as proof 
of identity. 

Beginning in 1983, the Social Security Act (P.L. 74-271) required 
that SSN cards be made of banknote paper and to the maximum 
extent practicable, be a card that cannot be counterfeited. The SSA 
worked with the Bureau of Engraving and Printing, the Secret 
Service, and the Federal Bureau of Investigation to design a card 
that met these requirements. All Social Security cards issued since 
October 1983 incorporate a number of security features intended to 
make the card counterfeit-resistant and tamper-proof. 

Some of these features include but are not limited to a tamper- 
proof, marbleized background, intaglio printing in some areas of 
the printing in the card, and colored planchets, which are small 
disks, randomly displayed on the card. Obviously, some security 
features have not been made public; other features — some features 
have been made public; others have not in order to protect the se- 
curity of the card. 

As required by the Intelligence Reform and Terrorism Prevention 
Act of 2004 (IRTPA) (P.L. 108-458), the SSA, in consultation with 
the U.S. Department of Homeland Security (DHS), formed a task 
force to establish requirements that will further improve the secu- 
rity of SSNs and cards. The task force is considering a wide range 
of security features that would strengthen the Social Security card, 
and we will develop a plan for implementing the task force rec- 
ommendations. 

Last year, we estimated that a card with enhanced security fea- 
tures, such as biometric identifiers, would cost approximately $25 
per card, not including the startup investments associated with the 
purchase of equipment needed to produce and issue this type of 
card. While any estimate would ultimately depend upon the details 
of the proposal, last year’s estimate of replacing cards for 240 mil- 
lion cardholders nationwide was approximately $9.5 billion. 

Currently, however, we know the cost of issuing an SSN card has 
increased by approximately $3 due to new requirements for addi- 
tional verification of evidence. So, we anticipate an increase in the 
total cost estimate when we update our figures to reflect current 
dollar costs. 

It is important to note that just as a SSN card does establish 
identity, neither does it always reflect the individual’s current au- 
thorization status. The SSN card only reflects an individual’s work 
authorization status at the time the card was issued. It is a snap- 
shot in time. An individual’s work authorization status may change 
over the years, and DHS has sole jurisdiction over the work author- 
ization for noncitizens. 

Over the years, the SSA has made continued enhancements to 
the Social Security card. Due to the substantial cost of replacing all 
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cards in use, older versions of the card remain valid. Thus, there 
are about 50 different variations of the SSN card in use that have 
been issued since 1936. 

In addition to the changes the SSA made after September 11, 
which I have outlined in previous hearings before the Sub- 
committee, the IRTPA contains several additional provisions to 
strengthen the integrity of our enumeration process. Two key pro- 
visions include the implementation of limits on the number of re- 
placement cards an individual can receive, three per year and ten 
per lifetime. 

With limited exceptions and the addition of death and fraud indi- 
cators to SSN verification routines for employers. State agencies 
issuing drivers’ licenses and identity cards and other verification 
routines as determined to be appropriate. The SSA implemented 
the restrictions on replacement SSN cards effective December 17, 
2005, as required by the IRTPA law. In addition, we place death 
indicators on our SSN verification services with the Department of 
Motor Vehicles and employers on March 6, 2006, also ahead of 
time, required by the law. We continue to work to ensure that 
fraud indicators will be addressed, added to the SSN verification by 
December 2007, which is the legislatively mandated date. 

In conclusion, we must remember that with all of the improve- 
ments in the assignment of SSNs, the Social Security card is still 
just a record of the SSN assigned to the individual, and it is not 
an identity document. I look forward to working with you to con- 
tinue to improve the SSA’s processes, and I will be happy to an- 
swer any questions you might have. 

[The prepared statement of Mr. Streckewald follows:] 

Statement of Frederiek G. Streckewald, Assistant Deputy Commissioner, 

Disability and Income Security Programs, Social Security Administration 

Mr. Chairman and Members of the Committee: 

Thank you for inviting me today to discuss the Social Security Administration’s 
(SSA’s) enumeration process. This is the process used to assign a Social Security 
Number (SSN) to an individual. This series of hearings the Subcommittee is holding 
have served to highlight the importance of this core agency function. As stewards 
of the Social Security program, one of our strategic objectives is to strengthen the 
integrity of the enumeration process. We recognize that protection of the SSN is one 
of the top issues facing SSA management, and I am pleased to have the opportunity 
to discuss SSA’s enumeration process. 

History of the Soeial Security Number and Card 

The Social Security Number is a nine-digit number, used to identify the record 
of earnings an individual has in employment or self-employment. A numbering sys- 
tem that is based on digits allows for the orderly assignment of numbers and for 
the potential assignment of as many as 900 million unique SSNs excluding the 900 
series reserved for the use of the Internal Revenue Service (IRS). SSA has assigned 
over 436 million SSNs since 1936. 

At the time the Social Security card was developed, its only purpose was to pro- 
vide a record of the number that had been assigned to the individual so that em- 
ployers could accurately report the earnings of people who worked in jobs covered 
under the new Social Security program. This is still the primary purpose for which 
SSA assigns a number and issues a card. 

The card was never intended and does not serve as a personal identification docu- 
ment — that is, the card does not establish that the person presenting it is actually 
the person whose name and SSN appear on the card. Although SSA has made many 
changes to make it counterfeit resistant, the card does not contain information that 
would allow the card to be used as proof of identity. 
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Use of the SSN Expands Over Time 

The purpose of the SSN and card was narrowly drawn at the beginning of the 
program. However, the use of the SSN as a convenient means of identifying records 
in large systems of records increased over the years. In 1943, Executive Order 9397 
required Federal agencies to use the SSN in any new record system maintained on 
individuals. Using the SSN as an identifier in federal record systems proved to be 
an early reflection of what has become an enduring trend expanding the uses of the 
SSN. 

The simplicity and efficiency of using a seemingly unique number that most peo- 
ple already possessed encouraged widespread use of the SSN by both government 
agencies and private enterprises. As record-keeping and business systems moved to 
automated data processing, the characteristics of the SSN made it a popular choice 
for record identification. In 1961, the Federal Civil Service Commission established 
a numerical identification system for all Federal employees using the SSN as the 
identification number. The next year, the IRS decided to begin using the SSN as 
its taxpayer identification number (TIN) for individuals. In 1967, the Defense De- 
partment adopted the SSN as the service number for military personnel. At the 
same time, use of the SSN for computer and other accounting systems spread 
throughout State and local governments and to the private sector, especially to 
banks, credit bureaus, hospitals, and educational institutions. There were no legisla- 
tive restrictions on the use of the SSN at that time. 

Statutory Provision Relating to the Public Sector 

The first explicit statutory authority to issue SSNs was enacted in 1972. Prior to 
that time, SSNs were issued pursuant to administrative procedures that the Agency 
had established. Subsequent Congresses have enacted legislation requiring individ- 
uals to have an SSN in order to receive Supplemental Security Income (SSI), Tem- 
porary Assistance for Needy Families (TANF), Medicaid, and food stamps. Addi- 
tional legislation authorized States to use the SSN in the administration of tax, gen- 
eral public assistance, driver’s license, and motor vehicle registration laws. 

Partly in response to concerns about the proliferation of the use of the SSN, Con- 
gress enacted the Privacy Act of 1974. It provided that, except when disclosure is 
required by Federal statute or by state or local statute or regulation adopted prior 
to January 1976, no Federal, State, or local government could withhold a right, 
privilege or benefit from a person simply because the person refused to furnish his 
or her SSN. 

In the 1980s and 1990s, new legislation authorized additional governmental uses 
of the SSN, including income and eligibility verification, military draft registration, 
and for operators of stores that redeem food stamps. Legislation was also enacted 
that required taxpayers to provide the SSNs of dependents on tax returns. 

A further expansion of the government’s use of the SSN was included in welfare 
reform legislation enacted in 1996. In order to improve child support enforcement. 
Congress required the SSN to be recorded in a broad array of records, including ap- 
plications for professional licenses and marriage licenses, and placed in the record 
of divorce decrees, support orders, and paternity determinations. 

Use of the SSN by the Private Seetor 

Generally, there are no restrictions in Federal law on the use of the SSN by the 
private sector. Businesses may ask for a customer’s SSN for such things as renting 
a video, applying for credit cards, obtaining medical services, and applying for public 
utilities. Customers may refuse to provide their number; however, a business may, 
in turn, decline to furnish the product or service. 

Continuing advances in computer technology, the ready availability of computer- 
ized data, and rapidly increasing use of the internet have encouraged the growth 
of information brokers who amass and sell large volumes of personal information, 
including SSNs collected by businesses. When possible, information brokers store 
and retrieve information about an individual by that individual’s SSN because the 
SSN provides an easy method of maintaining computerized records and can be used 
to compare those records with other business systems which may also use the SSN 
as a file identifier. 

Contemporary Challenges Regarding the Use of the SSN 

The use of the SSN has become widespread in our society. The cumulative effect 
has been that the SSN has become the most widely used identifier by both govern- 
ment and the private sector in establishing and maintaining information about a 
given individual in various public as well as private record systems. An unintended 
consequence is that the SSN has also become a tool used by those intent on stealing 
another person’s identity or creating a false identity. We are very concerned about 
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the misuse of the SSN, and we work closely with SSA’s Inspector General, the Fed- 
eral Trade Commission and the Department of Justice to help deter identity theft 
and assist in the apprehension and conviction of those who engage in this crime. 

Assignment of the SSN 

The Number 

Prior to 1972, SSNs and cards were issued in our local field offices. Since 1972, 
SSNs have been issued centrally. 

Generally, to obtain an SSN, individuals must apply for an SSN by filing a signed 
Form SS-6 “Application for a Social Security Card” and by submitting the required 
evidence. Currently, all applicants for an original number and card must submit evi- 
dence of age, identity, and United States citizenship or alien status to a Social Secu- 
rity field office (FO). FO personnel assist with the completion of the SS-5 applica- 
tion. Applicants for replacement Social Security cards must submit evidence of iden- 
tity, and foreign born applicants must also provide evidence of their immigration 
status. The SS-5 application includes information about the applicant’s name, mail- 
ing address, citizenship, sex, race/ethnic description (optional), date and place of 
birth, mother’s maiden name and SSN, and father’s name and SSN. However, a par- 
ent’s SSN is only required for applicants for an original SSN who are under age 
18. 

While the information required on the SS-5 application has remained essentially 
the same over the years, the law and enumeration process have changed to ensure 
that SSA assigns SSNs only to eligible individuals. To strengthen the process, SSA 
has instituted additional safeguards to prevent a person from fraudulently obtaining 
an SSN. For example: 

• SSA verifies immigration status with DHS before assigning an SSN to a non- 
citizen. 

• SSA requires a mandatory in-office interview with all applicants age 12 or older 
since the majority of individuals born in the U.S. have been assigned an SSN 
by the time they reached age 12. 

• As a result of Intelligence Reform and Terrorism Prevention Act of 2004 
(IRTPA), Public Law (P.L.)108-458, SSA implemented policy changes effective 
December 17, 2005 that restrict the issuance of replacement SSN cards to no 
more than three per year and no more than ten per lifetime; establish minimum 
verification standards for documents submitted in support of an application for 
an SSN ; and require independent verification of birth records of individuals of 
all ages appl 3 dng for an original SSN card. 

• Effective November 2005, we added systems edits to our Enumeration at Birth 
(EAB) program so that children who have not yet been given a first name in 
the hospital are not assigned a Social Security Number until the parent submits 
documentation of the child’s name. SSA has also implemented additional safe- 
guards designed to prevent the assignment of multiple SSNs to the same child. 

I would also like to highlight some earlier changes that SSA implemented over 
the years to strengthen the enumeration process. 

At the inception of the program, all SSNs were assigned and cards issued based 
solely on information provided by the applicant. Evidence of identity was not re- 
quired. Over time, as the use of the number was expanded for other purposes, SSA 
recognized that changes were necessary to protect the integrity of the card and enu- 
meration process. Beginning in November 1971, persons age 55 and over applying 
for an SSN for the first time were required to submit evidence of identity. As of 
April 1974, non-citizens were required to submit documentary evidence of age, iden- 
tity and immigration status. This made it more difficult to obtain a card on the 
basis of a false identity. SSA was also concerned that individuals who had been as- 
signed SSNs for purposes other than work might use the card to obtain unauthor- 
ized employment. Therefore, in July 1974, we began to annotate our records to re- 
flect the fact that a non-citizen had been issued an SSN for nonwork purposes. Sev- 
eral years later, the integrity of the SSN was further improved. In May 1978, we 
began requiring all SSN applicants to provide evidence of age, identity and United 
States citizenship or non-citizen status. 

Enumeration at Birth Process (EAB) 

Because of increased demand for SSNs for children at earlier ages due to tax and 
banking requirements, SSA developed the EAB process in 1987. SSA recognized 
that all the information needed to process an SSN application for a newborn was 
gathered by hospital employees at the child’s birth and verified with the respective 
bureaus of vital statistics. Nearly three-quarters of all requests for an original SSN 
are now completed through this process. 
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This program is available in the fifty states, the District of Columbia, and Puerto 
Rico, and allows parents to indicate on the birth certificate form whether they want 
an SSN assigned to their newborn child. When a parent requests an SSN for a child, 
the State vital statistics office receives the request with the birth registration data 
from the hospital and then forwards this information to SSA. Under these proce- 
dures, the parent is not required to file a separate application for an SSN for the 
child. Based on the information the State forwards to SSA, we assign an SSN and 
issue a card for the child. 

It is important to note that EAB is a voluntary program on the part of the hos- 
pitals and the States and other jurisdictions. No law requires state or hospital par- 
ticipation. The program is administered under the provisions of a contract between 
each state and SSA. SSA reimburses the states for participation on a per item basis 
(currently $2.04 for each birth record). EAB is a far more secure way to enumerate 
newborns. In addition, the program provides significant savings to the Federal gov- 
ernment and a convenient service option for the public. 

Enumeration at Entry (EAE) 

To reduce fraud and improve government efficiency, SSA inaugurated our Enu- 
meration-at-Entry process in October 2002. Under this process, SSA has entered 
into agreements with DHS and the Department of State (DOS) for those agencies 
to assist SSA in enumerating aliens. To assist SSA, DOS collects enumeration data 
as part of the immigration process. When the immigrant enters the United States, 
DHS notifies SSA and the card is issued. 

Social Security Cards 

In the beginning of the Social Security program, no special efforts were needed 
to prevent the Social Security card from being counterfeited. However, as the card’s 
use expanded and technology improved, counterfeiting became a concern. Beginning 
in 1983, the Social Security Act required that SSN cards be made of banknote 
paper, and to the maximum extent practicable be a card that cannot be counter- 
feited. SSA worked with the Bureau of Engraving and Printing, the Secret Service, 
and the Federal Bureau of Investigation to design a card that met these require- 
ments. 

All Social Security cards issued since October 1983 incorporate a number of secu- 
rity features intended to make the card counterfeit-resistant and tamper-proof. 
Some of these features include, but are not limited to, a tamper-proof marbleized 
background; Intaglio printing in some areas of the card; and colored planchettes 
(small discs) randomly displayed on the card. Obviously, while some security fea- 
tures have been made public, other features have not in order to protect the security 
of the card. 

The immigration and welfare reform legislation passed in 1996 required SSA to 
develop a prototype of a new card as well as study and report on different methods 
for improving the Social Security card process. In 1997, SSA issued a report to Con- 
gress on “Options for Enhancing the Social Security Card,” and earlier this year pro- 
vided the Subcommittee with an update on some of the findings in the report. 

As you are aware, the expertise of counterfeiters and the wide availability of 
state-of-the-art technology make it increasingly difficult to develop and maintain a 
document that cannot be counterfeited, despite best efforts to guard against such 
incidents. Therefore, SSA continues to evaluate new technology as it becomes avail- 
able to determine if additional features should be included. 

As required by P.L. 108-458, SSA, in consultation with DHS, has formed a 
taskforce to establish requirements that will further improve the security of Social 
Security numbers and cards. Since current law requires the card to be printed on 
banknote paper, the taskforce is limited to consideration of improvements to this 
type of card. The taskforce includes representation from DHS and several other 
agencies, including the Federal Bureau of Investigation, Department of State and 
the Government Printing Office. The taskforce is considering a wide range of secu- 
rity features that would strengthen the Social Security card, and we will develop 
a plan for implementing the taskforce recommendations. 

The cost of replacing the current SSN card with a new version that includes en- 
hanced security features would depend upon features to be included, e.g. biometric 
identifiers, and the universe of card-holders needing a new card. The cost of the 
card itself is minimal. The cost is driven by the cost of verifying the identity of the 
person applying for the card and, in the case of aliens, determining the immigration 
status and work authorization. 

Last year, we estimated a card with enhanced security features such as biometric 
identifiers would cost approximately $25.00 per card, not including the start-up in- 
vestments associated with the purchase of equipment needed to produce and issue 
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this type of card. While any estimate would ultimately depend on the details of the 
proposal, last year’s estimate for replacing cards for 240 million cardholders nation- 
wide was approximately $9.5 billion. Currently however we know that the cost of 
issuing SSN cards has increased by approximately $3.00, due to new requirements 
for additional verification of evidence, so we anticipate an increase in the total cost 
estimate when we update our figures to reflect current dollar costs. 

Legends on the SSN Cards 

I would now like to discuss the relationship between the Social Security card and 
work authorization. The Immigration Reform and Control Act of 1986 (IRCA) makes 
it illegal for an employer to knowingly hire anyone not legally permitted to work 
in the United States. TJnder IRCA, all employers are required to verify the identity 
and employment eligibility of all new employees regardless of citizenship or national 
origin. There are a number of documents specified in the law and DHS regulations 
which may be used for this purpose. Some documents, such as a United States pass- 
port, establish both employment eligibility and identity. Others, including a Social 
Security card without a restrictive legend, can be used to establish employment eli- 
gibility but do not establish identity and must be accompanied by an identification 
document, such as a State driver’s license. 

It is important to note that, just as the Social Security number or card does not 
establish identity, neither does it always reflect an individual’s current work author- 
ization status. The SSN card only reflects an individual’s work authorization status 
at the time the card was issued — it is a snapshot in time. An individual’s work au- 
thorization status may change over the years, and the DHS has sole jurisdiction 
over work authorization determinations for noncitizens. 

The vast majority of original Social Security cards are issued to United States citi- 
zens or to non-citizens who have been permanently authorized to work in the United 
States. These cards show only the name and SSN of the individual. 

Unlike the cards issued to United States citizens or to non-citizens who have been 
permanently authorized to work in the United States, cards issued to non-citizens 
who are not authorized to work or who are only temporarily authorized to work bear 
one of two legends describing work authorization status at the time the card was 
issued. 

“Not Valid for Employment” 

Initially, SSA issued the same type of Social Security card to everyone, whether 
or not the individuals were authorized to work. In 1974, SSA began assigning SSNs 
for nonwork purposes, but the card was not specifically annotated. Beginning in 
May 1982, SSA started issuing cards printed with the legend “Not Valid for Employ- 
ment” to non-citizens who are not authorized to work. This was due to the increas- 
ing need for individuals to have SSNs for nonwork purposes and concerns that such 
individuals might otherwise use their SSNs for work. With this restrictive legend 
appearing on a card, employers were able, for the first time, to determine whether 
the individual to whom the card was issued was authorized to work. Of course, an 
employer could not rely solely on the card to establish that the person presenting 
the card was the person to whom the SSN was assigned. 

Cards containing this legend are often referred to as “nonwork SSNs.” In October 
2003, SSA significantly tightened the rules concerning issuance of nonwork SSNs. 
SSA only issues such an SSN when l)a Federal statute or regulation requires an 
SSN to receive a particular benefit or service, which an alien has otherwise estab- 
lished entitlement; or 2) a State or local law requires an SSN to get public assist- 
ance benefits, to which the alien has otherwise established entitlement and for 
which all other requirements have been met. 

“Valid for Work Only with DHS Authorization” 

Beginning in September 1992, SSA began issuing cards with the legend “Valid for 
Work Only with INS Authorization” to noncitizens lawfully in the United States 
with temporary authorization to work. This legend has been changed to “Valid for 
Work Only with DHS Authorization” to reflect the change from “INS” to “DHS”. In 
these cases, employers must look at the non-citizen’s DHS documents to determine 
if the individual has current work authorization. In addition a participating em- 
ployer may use the DHS employment eligibility verification service, known as the 
Basic Pilot, to confirm employment eligibility for newly hired employees, which in- 
cludes verification with SSA records and for noncitizens, with DHS records. 

In Fiscal Year (FY) 2006, SSA issued approximately 5.4 million original cards. Of 
these, 4.3 million were issued to United States citizens. Approximately 1.1 million 
cards were issued to non-citizens with temporary or permanent work authorization. 

Over the years SSA has made continual enhancements to the Social Security card. 
Because of the substantial cost of replacing all cards in use, older versions of the 
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card remain valid. Thus, there are about 50 different variations of the SSN card 
that have been issued since 1936. 

NonWork SSNs 

SSA also issues cards to aliens legally in the United States but who are not au- 
thorized to work by DHS. Last year SSA issued fewer than 15,000 of this type of 
non-work card. Each year as required by Section 414 of the Illegal Immigration Re- 
form Act of 1996, P.L. 104-208, SSA reports to Congress the number of SSNs as- 
signed to aliens who were not authorized to work in the United States when the 
card was issued for whom we receive Form W-2s. The most recent report stated 
that earnings were credited to 555,227 SSNs assigned to non-citizens who did not 
have authority to work in the United States at the time the SSN was assigned. It 
is important to note that since the work authorization status of a non-citizen may 
change, an earnings report under a nonwork SSN does not necessarily mean that 
unauthorized work was performed. 

Additional Efforts to Strengthen the Enumeration Process 

SSA has taken a number of steps to further strengthen the processes associated 
with assigning SSNs. You will recall that SSA formed a high-level response team 
to develop recommendations on enumeration policy and procedure in the aftermath 
of the terrorist attacks of September 11, 2001. As previously reported to this Sub- 
committee, implementation of many of the team’s recommendations has strength- 
ened our capability to prevent those with criminal intent from obtaining and using 
SSNs and SSN cards. As mentioned earlier in my testimony, beginning June 1, 
2002, SSA began verifying birth records with the issuing agency for all United 
States born SSN applicants age one or older. In addition, beginning in July 2002, 
SSA began verifying the authenticity of all immigration status with DHS before as- 
signing SSNs to non-citizens. 

We also continue to look for additional ways to make the enumeration process 
more efficient and secure. In November 2002, SSA piloted a Social Security Card 
Center in Brooklyn, New York. The Card Center represents a joint effort by SSA, 
SSA’s Office of the Inspector General (OIG) and Department of Homeland Security 
(DHS). The collaboration of these parties is intended to strengthen SSN application 
procedures, and to ensure that applications are processed with a high degree of in- 
tegrity, efficiency and expertise. 

In April 2005, SSA established another Social Security Card Center in Las Vegas, 
Nevada. The Las Vegas Social Security Card Center is dedicated exclusively to help- 
ing Las Vegas Valley and southern Nevada residents apply for a new or replace- 
ment Social Security Card. SSA plans to open additional centers as resources permit 
over the next several years based on SSN workloads and other service delivery fac- 
tors. 

SSN Verification Processes 

Many diverse organizations request SSN verifications for various purposes. SSA 
must consider each request to determine whether to deny or permit verification and 
what information, if any, may be disclosed. SSA also must consider each request to 
ensure that the proper safeguards are in place to protect the information being dis- 
closed. SSA must also be reimbursed for any work not related to the administration 
of our programs. Of course, by law, we cannot fulfill requests for non-program pur- 
poses if doing so would impede our mission. 

For many years, most SSN verifications were processed in our field offices. This 
was a manual process which was highly labor intensive. In 1983, SSA implemented 
the Employee Verification Service (EVS) in order to better manage the verification 
workloads. Since then SSA has provided additional ways to access SSN verification 
routines as technology has evolved. 

Employers 

Employers are our primary requestors for SSN verifications because they must ac- 
curately report wage information for the people they employ. One of SSA’s core busi- 
ness processes is maintaining the accuracy of earnings for all workers to ensure that 
they receive credit for the work on which FICA taxes were paid. Accurate earnings 
information is important because a worker’s earnings record is the basis for com- 
puting retirement, survivors, and disability benefits. 

SSA has successfully provided SSN verification services to the employer commu- 
nity for many years. Employers can verify SSNs for their employees by telephone, 
by submitting paper listings or by magnetic media. 

To further improve our service to employers, SSA piloted an online service, known 
as Social Security Number Verification Service (SSNVS), in April 2002. In June 
2005, SSA expanded the availability of this service to all employers. This optional. 
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free and secure Internet service provides employers with an immediate response for 
a limited number of SSN verification requests or a next business day response for 
high volume SSN verification requests. 

As mentioned earlier in my testimony, employers may participate in the Basic 
Pilot program, an ongoing joint initiative in which SSA supports DHS in assisting 
participating employers in confirming employment eligibility for newly hired em- 
ployees. Participating employers may use the automated system to verify SSNs and 
alien registration or admission numbers through verification checks of SSA and 
DHS databases. 

In 2005, through the EVS, SSNVS, and Basic Pilot programs, we estimate we pro- 
vided a total of 67 million employer verifications, up from 62 million in 2004. 

Federal and State Agencies 

Many Federal, State, and local agencies request SSN verification services for nu- 
merous purposes, from issuing food stamps to tracking convicted felons. Some of the 
agencies receive information as a result of legislation. Some of these organizations 
include, but are not limited to: 

• The Department of Education 

• The Department of Justice 

• The Office of Child Support Enforcement 

• The Internal Revenue Service 

• The Department of Veterans Affairs 

• The Selective Service System 

• Any Federal agency which uses the SSN as a numerical identifier in their 
record system 

• Federal, State, and local agencies for validating the SSN used in administering 
income or health maintenance programs 

• Federal, State, and local agencies where SSN use is authorized under Federal 
statute and they are involved in programs such as Temporary Assistance for 
Needy Families, Food Stamps, Medicaid, and Unemployment Insurance 

• State Motor Vehicle Agencies 

• Prisons 

• Law enforcement fugitive felon operations 

• SSAOIG. 

SSA provides verifications to some State agencies, such as State motor vehicle li- 
censing agencies via the American Association of Motor Vehicle Administrators 
(AAMVA). 

Third Parties 

Under the Privacy Act, SSA may verify or release SSNs to third parties that have 
obtained the written consent of the number holder, regardless of the purpose of the 
request. SSA has been providing such third party verifications for many years 
through existing verification processes. 

Impact of Public Law 108-458 

Section 7213 of P.L. 108-458 contains several provisions to strengthen the integ- 
rity of our enumeration process. Two key provisions include the implementation of 
limits on the number of replacement SSN cards an individual can receive to three 
per year and ten per lifetime with limited exceptions and the addition of death and 
fraud indicators to SSN verification routines for employers. State agencies issuing 
driver’s licenses and identity cards, and other verification routines as determined 
to be appropriate. 

As I mentioned previously, SSA implemented the restrictions on replacement SSN 
cards effective December 17, 2005 as required by IRTPA. In addition, although most 
death records were already available to employers and DMVs through our SSN 
verification services, we have also added the State death records that were pre- 
viously restricted as authorized by IRTPA. Those additional death records were 
added to SSN verification routines on March 6, 2006, well before the implementa- 
tion deadline set by IRTPA. We continue to work to ensure that fraud indicators 
will be added to the SSN verification routines by December 2007. 

Section 7213 of IRTPA also required SSA to establish minimum standards for 
verification of documents submitted in connection with an SSN. To this end, SSA 
established rigorous new standards for evidence of U.S. citizenship and identity sub- 
mitted in connection with an application for an SSN. 

IRTPA also required SSA to form an interagency taskforce specifically charged 
with establishing security requirements, including standards for safeguarding SSN 
cards from counterfeiting, tampering, alteration and theft. This interagency 
taskforce is working to improve the security features included on the current bank- 
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note card. SSA will prepare for implementation of the taskforce recommendations 
by June 2006. 

Conclusion 

In conclusion, the Social Security number was originally intended as a means to 
provide a record of the earnings of people who worked in jobs covered under the new 
Social Security program. We must remember that with all the improvements in the 
assignment of SSNs, the Social Security card is still just a record of the SSN as- 
signed to the individual and not an identity document. 

However, as we all know, the use of the SSN for other purposes has grown signifi- 
cantly over the years. The challenge we face is to balance SSA’s commitment to as- 
signing numbers quickly and accurately to individuals who qualify for them and 
need them to work, with the equally important need to maintain the integrity of 
the enumeration system to prevent SSN fraud and misuse. 

I want to thank the Chairman and members of the Subcommittee for inviting me 
here today, and I look forward to working with you to continue to improve SSA’s 
processes. 

I will be happy to answer any questions you might have. 


Chairman MCCRERY. Thank you, Mr. Streckewald. Dr. Kent. 

STATEMENT OF STEPHEN T. KENT, VICE PRESIDENT AND 
CHIEF SCIENTIST, INFORMATION SECURITY, BBN TECH- 
NOLOGIES; AND CHAIRMAN, COMMITTEE ON AUTHENTICA- 
TION TECHNOLOGIES AND THEIR PRIVACY IMPLICATIONS, 
NATIONAL RESEARCH COUNCIL, THE NATIONAL ACADEMIES 

Dr. KENT. Good morning, Chairman McCrery, Congressman 
Levin. I am Steve Kent, Vice President and Chief Scientist, for In- 
formation Security at BBN Technologies. I served as the Chair of 
the Committee on Authentication Technologies and their Privacy 
Implications for the National Research Council, the operating arm 
of the National Academy of Sciences. 

The study Committee authored two reports: “IDs, Not That Easy, 
Questions About Nationwide Identity Systems,” on which you have 
asked me to testify, and “Who Goes There: Authentication Through 
The Lens Of Privacy.” It is a pleasure to be here to discuss these 
reports with you. I will try to briefly summarize my written testi- 
mony which I submitted for the record. 

First, some general observations: developing identity systems is 
much more complex than it initially appears. Several key policy 
questions must first be answered, among them what problem is the 
system supposed to solve, and how will it try to solve the problem? 
How authentication will be achieved has to be looked at; who would 
be users of the system, who will rely on it, what types of uses will 
be allowed, and what legal structures protect the integrity of a sys- 
tem. 

Implicit in all these are that we are dealing with a system, not 
just ID cards. Success, therefore, depends not only on the card 
technology we use but on all of the ways the system components 
have to work together. The high cost of fixing or even abandoning 
a system makes it essential that potential ramifications are ex- 
plored very thoroughly prior to making decisions about design de- 
tails and deployment of a system. 

Let me address a few of the specific questions that you posed. 
There are a number of technical challenges associated with build- 
ing a counterfeit resistant, long lasting, easily replaceable ID card. 
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No method of ensuring that the person presenting the card is the 
proper owner can he completely reliable. A key decision for any sys- 
tem of this sort would he determining an acceptable threshold of 
false rejection and false acceptances, none of which are going to be 
zero in any practical technology. 

Second, any large scale identity system designed for a specific 
purpose is almost always used for other, secondary purposes. The 
ID may be used for verification unrelated to the original purposes. 
The data collected may be used in ways that have little to do with 
the original purpose. 

These unplanned uses often cause problems. For example, secu- 
rity and privacy protections that were designed for the original use 
might not align with the needs of a secondary use. Data collected 
for the primary use might not be appropriate in terms of quality 
or reliability for a secondary use. 

For the primary user, the existence of secondary uses can make 
it difficult to respond to a detected attack on the system. The range 
of possible reasons for the attack grows with secondary uses, mak- 
ing it more difficult to determine how to respond. The ID system 
databases hacked, for instance, was in an individual trying to get 
a fake ID for purchasing alcohol or someone with more nefarious 
purposes in mind. 

Third, the privacy implications of large scale identity systems are 
significant. A major challenge to privacy is the ability to cross-ref- 
erence databases in different systems tied to an ID, even when the 
primary system is privacy-preserving. Another problem is that of 
identity theft. To lessen the impact on privacy, a number of steps 
can be taken, including being clear about the system’s purpose, 
minimizing the scope and retention of collected data, and clarifying 
who will have access to data, and, of course, providing means for 
individuals to check on and correct information stored about them 
to rectify errors in the system. 

Fourth, identity establishment itself is a challenging but critical 
part of the process. Of particular concern is the fact that funda- 
mental documents, foundational documents like birth certificates 
that are required to establish identity for other identity documents 
are themselves subject to fraud and forgery. 

Moving to digital credentials or biometrics will not change some 
of the basic avenues of attack against a large scale identity system. 
As a result, the issuing process itself will remain extremely vulner- 
able. The best any new system can provide is a compelling connec- 
tion with some previous verification of identity, and that is usually 
imperfect. 

Finally, while our reports did not address the specific concerns 
you asked about with regard to modifying the SSN card to help 
prevent unauthorized immigrants from gaining lawful employment, 
the framework we presented in our study I think can be applied 
to this topic. 

It is important to note that layering a new system on top of the 
primary use of the SSN card would not intrinsically add to the tes- 
timony of the data that was collected for that original purpose. The 
data has the same quality and reliability that it had prior to the 
addition of the new system and the introduction of higher quality 
credentials in a physical sense. 
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In conclusion, as the title of our report suggested, IDs, Not That 
Easy, none of the issues raised by development and deployment of 
large scale identity systems are simple. The questions posed in our 
report should be carefully and thoroughly applied, not only from a 
privacy perspective but from a security, usability and effectiveness 
perspective as well. 

Thank you. That concludes my comments. I will be happy to take 
any questions. 

[The prepared statement of Dr. Kent follows:] 

Statement of Stephen T. Kent, Ph.D., Chairman, Committee on Authentica- 
tion Technologies and Their Privacy Implications, National Research 

Council, The National Academies 

Good morning, Mr. Chairman and members of the Committee. My name is Ste- 
phen Kent. I am Vice President and Chief Scientist for Information Security at BBN 
Technologies and served as the chair of the Committee on Authentication Tech- 
nologies and Their Privacy Implications of the National Research Council. This 
study committee authored the two reports, IDs — Not That Easy: Questions About 
Nationwide Identity Systems and Who Goes There? Authentication Through the Lens 
of Privacy, on which you have asked me to testify. The National Research Council 
is the operating arm of the National Academy of Sciences, National Academy of En- 
gineering, and the Institute of Medicine of the National Academies, chartered by 
Congress in 1863 to advise the government on matters of science and technology. 

It is a pleasure to be here to discuss these reports on large-scale identity systems. 
By way of background: the study committee originally planned to do only the Who 
Goes There? report. We decided on the IDs report about half-way through our study 
process after the September 11, 2001 terrorist attacks. In the wake of those attacks, 
numerous proposals for what identity systems could or should accomplish with re- 
spect to counterterrorism began circulating in the policy community and the media. 
The study committee believed that the persistence of public discussion about pos- 
sible new ID systems and the expectation that other proposals would continue to 
be offered argued for an informed analysis and critique of the concept of a nation- 
wide or large-scale identity system. The brief report on IDs was the result. It was 
intended to catalyze a broader discussion, and I am happy to be here today to con- 
tinue that discussion. 

I will start with a brief overview of the highlights of the IDs report and then ad- 
dress some of the specific issues that you asked me to consider in my testimony 
today. 

Perhaps the most important message of our work on ID systems is that designing 
and building systems to ascertain identity is much more complex than it might ap- 
pear and is indeed why we titled our IDs report “Not That Easy.” 

A primary consideration is to understand the goals of a large-scale identity sys- 
tem. Before any decisions can be made about whether to attempt some kind of sys- 
tem, the question of precisely what is being discussed and what purpose it will serve 
must be answered. What problem or problems is the proposed system meant to 
solve? The high-level policy questions that the IDs report outlines include the fol- 
lowing: 

• What is the purpose of the system? What problem or problems is it attempting 
to address? 

• What is the scope of the population that would be issued an ID? Related to this, 
how would the identities of these individuals be authenticated? 

• What is the scope of the data that would be gathered about individuals in sup- 
port of issuing an ID and how would it be correlated to data about them in any 
databases associated with the system? 

• Who would be the users of the system? By this we mean not only those who 
would be issued an ID, but the government agencies, perhaps state and local 
governments, or even the private sector organizations that might rely on the 
IDs. What entities would be allowed to use the system? Who could contribute, 
view, and/or edit the data in the system? 

• What types of use would be allowed? Who could demand an ID? Under what 
circumstances? What types of database queries about individuals would be per- 
mitted? Would data mining or analysis of the information collected be per- 
mitted? Who would be allowed to do such analysis? For what purposes? 
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• Would enrollment in and/or identification by the system (even if the individual 
had not formally been enrolled) be mandatory or voluntary? 

• What legal structures protect the system’s integrity as well as the ID holder’s 
privacy and due process rights? What structures determine the government and 
relying parties’ liability for system misuse or failure? 

Answers to all of these questions (and more) will have ramifications for the tech- 
nological underpinnings of the system, including what levels and kinds of system 
security will be required. 

Implicit in all of these questions is the notion of a “system” and not merely an 
“ID card.” The fact that any identity management proposal necessarily implies a 
“system” may be one of the most important (and less discussed) aspects of many of 
the identity system proposals that we have seen. These systems, at the scale that 
they are proposed, necessarily imply the linking together of many social, legal, and 
technological components in complex and interdependent ways. The success or fail- 
ure of such a system is dependent not just on the individual components (for exam- 
ple, the ID cards that are used, or the biometric readers put in place) but on the 
ways they work, or do not work, together. For example, are card readers located 
where they need to be? How well do the readers operate under various environ- 
mental and load scenarios? Who will operate the systems and how will they be 
trained and vetted? Do enrollment policies align with the security needs envisioned 
for the system? And so on. How well these interdependencies are controlled along 
with the mitigation of security vulnerabilities and the unintended consequences of 
the deployment of a system, will be critical factors in its overall effectiveness. 

In addition to the questions above, the committee outlined several cautions to 
bear in mind when considering the deployment of a large-scale identity system: 

• Given the costs, design challenges, and risks to security and privacy, there 
should be broad agreement in advance on what problem or problems the system 
would address. 

• The goals of the system should be clearly and publicly identified and agreed 
upon, with input sought from all stakeholders. 

• Care must be taken to explore completely the potential ramifications of deploy- 
ing a large-scale identity system, because the costs of fixing, redesigning, or 
even abandoning a system after broad deployment would likely be extremely 
high. 

That is a brief overview of some of the highlights from the IDs report. The study 
committee urged that proponents of large-scale identity systems present a compel- 
ling case addressing the issues raised in these reports and solicit input from a broad 
range of stakeholder communities. The IDs report elaborates on these issues and 
also considers some of the technological and security challenges inherent in large- 
scale identity systems. Some of the issues you asked me to address in my testimony 
today are more specific than what I have presented here so far, and to the extent 
that our reports address them, I will briefly discuss them. 

Tamper-Proof ID Cards 

Cards are often suggested as a means of binding an “identity” within a system 
to an individual. The question being: if someone presents a valid card, how do you 
know first, that the card is valid, and second, that the card belongs to the person 
presenting it? To the first question, the goal of a counterfeit-resistant, long-lasting, 
easily-replaceable ID card presents difficult technical challenges. Magnetic stripe 
cards are trivially easy to counterfeit. Memory cards or smart cards are more dif- 
ficult, but not impossible, to duplicate or forge. Use of cryptographic technologies 
and digital signatures can help, but for any technology, some degree of imperfection 
will exist. I have already mentioned that a key notion to keep in mind is that these 
systems are in fact systems — they would likely encompass databases, processes and 
procedures, cards, card readers, architectural requirements, security needs, and 
much more, not to mention the people who are a part of any technical system. Any 
ID card that is issued is only a component of the system. One question that must 
always be asked is what is the perceived threat? By threat I mean what set of ad- 
versaries do we believe we need to thwart, what are their capabilities, and what 
are their goals? If we cannot answer that question, we have no rational basis for 
deciding if any proposed system will likely be adequate, or whether it will be over- 
kill. 

To the question of ensuring that the person presenting the card is the same per- 
son identified with the card, a picture on the front of the card might be some assur- 
ance, but people sometimes have a hard time matching faces to pictures. “Two-factor 
authentication” in which an individual presents a card along with additional infor- 
mation (such as a PIN or thumbprint — either of which could be compared to data 
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on the card) is another possibility. Another scenario might he to have the person 
interact with a biometric scanner and present the card that contains reference infor- 
mation for the biometric in question. Both pieces of information are validated in 
combination against a backend server. This, however, creates a requirement for high 
availability and a dependence on a secure, reliable network and communications in- 
frastructure. Also, unless the scanner is itself a secure device (and known to be so 
through some kind of formal evaluation process) or the scanner is closely monitored, 
the system may be compromised. Even then, the system will not be fool-proof. (I am 
informed, by the way, that the NRC is conducting a large study on biometric sys- 
tems that should be released later this year) 

A decision on thresholds for false rejection and false acceptance rates (which is, 
first, a policy decision) will need to be made — and those thresholds cannot really be 
zero for any technology. Moreover, even the best-designed systems are subject to so- 
cial engineering (there are numerous examples of personnel being tricked into 
issuing credentials without adequate proof of identity or authorization) and insider 
threat attacks — and thus one cannot rely on technological solutions alone. The en- 
tire system and implications of policy decisions at all levels must be thought 
through carefully. 

Secondary Uses 

One of the challenges that arises repeatedly with a large-scale identity system de- 
signed for a specific purpose (or set of purposes) is that there are almost always 
forces in play that push the systems to be used for things that they were not origi- 
nally designed for. A familiar example of this is the state driver’s license, which 
does not merely enable one to legally drive on public roads, but is also relied on 
to provide “proof of age” for alcohol purchases and “proof of identity” to board an 
aircraft for domestic travel in the U.S. 

Most systems do not explicitly guard against secondary uses, although occasion- 
ally there are legal requirements or contractual relationships that limit secondary 
use (such as credit card agreements.) There are at least two ways in which sec- 
ondary use might happen. In some cases, the card presented may be used for addi- 
tional verification purposes in contexts unrelated to the original purposes. In other 
instances, the data collected in support of card issuance may be used in ways that 
have little to do with the original purpose. Unintended uses of an identity system 
and its associated technologies can always have inadvertent side effects. There are 
numerous examples in the literature of this, and the expansion over time in use of 
the Social Security Number (SSN) is a well-known instance. For example, the pro- 
posed ID might become the new, de facto photo ID for individuals, potentially expos- 
ing SSNs to a very wide range of organizations at a time when states are elimi- 
nating the SSN from driver’s licenses. 

If any new ID system is deployed, chances are that there will be uses found for 
it that were not originally intended. While this might seem an efficiency on the sur- 
face, in fact, such unplanned-for multiple uses may cause problems. 

• A particular challenge resulting from unplanned-for uses is when technology or 
an ID system designed for a specific security context, user population, and so 
on is used (intentionally or unintentionally) without a determination as to 
whether the original security, privacy, and usage assumptions still hold in the 
new context. Secondary uses are implicitly relying on whatever assurances, se- 
curity models, and privacy protections the original designers and implementers 
were working with. These may not align with the needs of the secondary user. 
For example, access to a health club may require a different usability or privacy 
model than access to secured facilities at an airport. One size cannot fit all. 

• A significant context consideration is the security of the system. The original 
system was designed with a particular threat model in mind; this threat model 
may not apply to secondary uses of the system. 

• Another problem is that the data collected for the original purposes may not 
be what is needed, or at the appropriate quality or reliability levels, for the new 
secondary uses. 

• Depending on inappropriate assumptions is not a challenge just for the sec- 
ondary user, but also for the primary users of the system. An ID system that 
is used for multiple purposes with multiple types of threats, not all of which 
were designed or planned for, can make it difficult to respond to a known attack 
on the system. This is because with secondary uses, the universe of possible mo- 
tivations behind the attack is much larger, making it difficult to ascertain what 
is an appropriate response to an attack. If your database is hacked, was it indi- 
viduals desiring a fake ID to purchase alcohol, for example, or individuals with 
more nefarious purposes in mind? 
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Privacy Consequences 

The privacy implications of large-scale identity systems can be significant. While 
casual discussions of IDs or ID cards may assume simple, unique pairings of infor- 
mation and individuals, the reality is often more complicated. A major privacy chal- 
lenge, even when a given system has been designed and is operating in a secure 
and privacy-sensitive fashion, is the ability to cross-reference and link information 
across databases in different systems. In many cases, an identity in a given system 
will include a common cross-reference, such as a Social Security Number, that 
makes it trivially easy to link it to other identities associated with other systems 
(presumably designed for other purposes.) In addition, questions arise as to how re- 
liable the linking would be — some institutions may not mind if suggested linkages 
are only approximate (for example, a vendor attempting to do targeted marketing), 
whereas others demand high levels of accuracy. 

Identity theft is also a major concern, especially in the case of centralized data- 
bases or systems used for multiple purposes — the more useful or “powerful” an ID 
is the more tempting it is as a target. Identity theft is an individual’s fraudulent 
claim that he or she is the person to whom the information in the system refers, 
allowing him or her to derive some benefit from another party who is relying on 
that claim. One reason for the problem is the expanded use of SSNs for purposes 
that were not originally intended coupled with the assumption that they are ‘secret’ 
or should act as a ‘key.’ 

When designing a system to lessen impacts on personal privacy, the study com- 
mittee made a number of recommendations, including: 

• Be clear about the purposes of the system. 

• Minimize the scope of the data collected to that which is essential for the pur- 
pose of the ID system. 

• Minimize the retention interval for data collected in association with use of the 
card. 

• Clarify who will have access to the collected data. 

• Clarify what kinds of access to and use of the data are allowed. 

• Ensure that use of the system is audited to protect against illegitimate uses as 
well as to monitor for security threats. 

• Provide means for individuals to check on and correct the information stored 
about them. 

All of that said, many times there are important uses of data that are unantici- 
pated when the data are collected. For these as for other important uses, it is a 
question of balancing the risks to privacy and confidentiality against the benefits 
of the uses, especially when the uses are for research to inform public policies or 
for national security. The Academies have long studied the issues here for important 
research uses of data. A recent study is Expanding Access to Researeh Data: Recon- 
ciling Risks and Opportunities from the Academies’ Committee on National Statis- 
tics. For the case of national security purposes, the Computer Science and Tele- 
communications Board has joined with the Committee on Law and Justice and the 
Committee on National Statistics to launch a major study to balance the risks and 
benefits. The Academies would be pleased to offer more information on these and 
other studies that may be relevant to your inquiry or to help with further investiga- 
tions of interest to you. 

Identity Establishment 

The establishment of an identity in an identity-system is another challenging but 
critical part of the process. There is a tangled web of government-issued identity 
documents used as foundational documents that allow the government and other or- 
ganizations to issue other identity documents. Many of these foundational docu- 
ments, used to acquire an SSN or Passport, for example, are subject to fraud and 
forgery themselves. Birth certificates are particularly problematic, in that they are 
issued by thousands of different jurisdictions across the country, making them both 
easy to forge and difficult to verify and thus very poor to use as an identification 
document from a security perspective. Moreover, no aspect of a birth certificate 
binds it to an individual in any strong security sense. The types of possible attacks 
on identity documents vary and include the following: 

• An individual acting as an impostor. 

• Forged or fraudulent documents. 

• Tampering with existing documents. 

• Compromise of confidential information (for example, in an identity system 
database) that is then used to create a false identity. 

• Modification of computerized records to support a false identity. 
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Moving to, for example, digital credentials or biometrics will not change these 
basic avenues of attack and fraud. As technology and perhaps ID cards become ever 
more sophisticated, the issuing process will remain extremely important. All the se- 
curity in the world cannot overcome deficiencies in this step — the system will only 
be as good as the data that goes into it. The best that any system can provide is 
a compelling connection with some previous verification of identity. Essentially, 
trust in the integrity of the system is based not so much on any single verification 
when an individual presents a claim of identity as it is on increasing confidence 
when multiple transactions happen over time and all previous transactions with 
that particular individual have worked out. 

Other Questions 

You asked me to comment in particular on the issue of modif3dng the SSN card 
so that it is tamper- and counterfeit-resistant as part of efforts to prevent unauthor- 
ized immigrants from gaining lawful employment in the United States. While the 
National Research Council’s reports did not address this specific question, such an 
approach clearly falls within the realm of large-scale identity systems that the study 
committee was considering. The framework that we presented can be applied to this 
question. 

For example, once the purpose of a system is clearly articulated — in this case the 
prevention of unauthorized people from gaining lawful employment in the United 
States — then a next question to ask is what information would accomplish the goal 
of ascertaining whether an individual is qualified to work in the United States? Who 
has that data? Who collects it? Who can access it? If a system with that sort of data 
were deployed, how would it be reflated? What penalties or liabilities would be as- 
sociated with misuse? How could individuals correct their own data within the sys- 
tem? What kinds of security would be needed? What are the likely threat models 
for such a system? How could potential threats of identity theft (in this case “work- 
er-identity”) be mitigated? Who would be authorized to ask to see the ID card asso- 
ciated with this system? Are there other likely abuses and how could the possibility 
of those be mitigated? If the system is to be built on top of another existing identity 
system (such as the SSN) — which poses its own very serious challenges since this 
basically would be an unintended, unplanned-for, not designed-for use of the SSN — 
then what can be assumed about the underlying data in the current system? 
Layering even the best current security on top of old data only gives the old data 
an appearance of being more trustworthy — the data has the same quality and reli- 
ability that it had prior to the security being added. 

Conclusion 

Mr. Chairman and members of the committee, our study committee wrestled with 
questions of identity, authentication, identification, and large identity systems for 
many months — not new issues, but ones that were brought into sharp focus after 
September 11, 2001. In the study I have described, we have attempted to lay out 
our thinking and analysis of these issues. As the report title, IDs — Not That Easy, 
suggests, none of these issues is simple, and any large-scale identity system poses 
numerous questions that should be carefully thought through — not only from a pri- 
vacy perspective, but also from security, usability, and effectiveness perspectives. 
Our reports attempt to lay out some of these questions that must be addressed and 
to illustrate the complexities that can arise. 

You can find more information about these and related studies on the Web site 
of the Computer Science and Telecommunications Board of the National Research 
Council at http://www.cstb.org. 

Thank you. That concludes my comments. I would be happy to take any questions 
you may have. 


Chairman MCCRERY. Thank you, Dr. Kent. Mr. Rotenherg. 

STATEMENT OF MARC ROTENBERG, PRESIDENT AND EXECU- 
TIVE DIRECTOR, ELECTRONIC PRIVACY INFORMATION CEN- 
TER 

Mr. ROTENBERG. Thank you, Mr. Chairman, Congressman 
Levin. Thank you for the opportunity to testify. My name is Marc 
Rotenherg. I am President of the Electronic Privacy Information 
Center. We are a public interest research group here in Wash- 
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ington. We have done a lot of work related to the SSN. I also teach 
privacy law at Georgetown Law Center. 

I would like to briefly summarize my testimony and ask that the 
statement be included in the record. 

The key points I would like to make this morning concern the 
history of the effort to restrict the use of the SSN precisely so that 
it would not form the basis for a national identity card. As you well 
know, when the number was first established for the purpose of ac- 
counting for the SSA contributions, the first regulation that was 
issued by the the SSA was to make clear that this was not a card 
for identification purposes. 

Now, the particular concern about the possible misuse of the 
SSN was taken up in 1973 in a very important report by the U.S. 
Department of Health, Education, and Welfare. This report more 
than 30 years ago identified the possible misuse of the SSN to link 
together record systems across government agencies and with pri- 
vate sector record systems. 

As a consequence of that investigation. Congress enacted in 1974 
the Privacy Act (P.L. 93-579). The Privacy Act, among the various 
things that it did, set out clear prohibitions on the collection and 
use of the SSN. Although people at that point in time did not use 
the phrase identity theft, I think it was a very wise decision on the 
part of the Congress to limit the use of the SSN, because what we 
have seen now, 30 years later, is that the broad dissemination of 
the Social Security number within the United States has contrib- 
uted to what is now the number one crime. The crime of identity 
theft is a $53 billion crime, according to a 2004 report of the U.S. 
Federal Trade Commission (FTC). 

Now, since the passage of the Privacy Act, it is obviously the case 
that the uses of the SSN have expanded by both government agen- 
cies and in the private sector, but I think it is important to note 
at the same time that the Congress and the States and the FTC 
have taken measures to try to limit the use of the SSN, recognizing 
that it does create an increased risk of identity theft. I think one 
of the witnesses spoke earlier about the provision that in effect 
took the SSN off the State driver’s license so that the driver’s li- 
cense would not become the link to other record systems. 

Now, certainly, steps can be taken to enhance the Social Security 
card so that the likelihood of counterfeiting and tampering are di- 
minished, and I think everyone including privacy organizations 
would favor those measures. The concern here on the privacy side 
is that the number becomes the basis for linking together different 
record systems; so, for example, if it becomes the basis for employ- 
ment eligibility determinations, which could be made by DHS, 
every employee in the United States, not just immigrants to this 
country, would be required to present their Social Security card as 
a condition of establishing eligibility for employment, and I think 
this is something that was clearly never anticipated in the use of 
the number. I very much support the testimony of Dr. Kent and 
the work of the National Research Council. 

As these uses are expanded to determine citizenship, for exam- 
ple, or to determine employment eligibility, the increasing risks of 
misuse expand as well, as do the targets of opportunity and incen- 
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tives for people to take advantage of the SSN and use it in ways 
that will cause actual harm and crime to individuals. 

So, our recommendation to you today, particularly in the context 
of a series of hearings that look at high risk issues associated with 
the use of the SSN, is to ensure that there are adequate security 
and privacy safeguards for current uses and to avoid new uses that 
might introduce new risks and new dangers to American con- 
sumers. 

There is a good reason, I believe, that people in this country in 
particular are very uneasy about a national identity card, and it is 
part of our longstanding traditional that we would not, as a general 
matter, expect to live in a country where the government could say 
in effect please present your identity and prove to us who you are. 

Thank you very much for the opportunity to testify this morning. 

[The prepared statement of Mr. Rotenberg follows:] 

Statement of Marc Rotenberg, President, Electronic 
Privacy Information Center 

Introduction 

Chairman McCrery, Ranking Member Levin, and Members of the Subcommittee, 
thank you for the opportunity to testify on the high-risk issues surrounding Social 
Security numbers. 

My name is Marc Rotenberg and I am Executive Director of the Electronic Privacy 
Information Center. EPIC is a non-partisan research organization based in Wash- 
ington, D.C.i Founded in 1994, EPIC has participated in leading cases involving the 
privacy of the Social Security Number (SSN) and has frequently testified in Con- 
gress about the need to establish privacy safeguards for the Social Security Number 
to prevent the misuse of personal information.^ Last year, I testified on H.R. 98, 
the Illegal Immigration Enforcement and Social Security Protection Act of 2005 and 
urged Members to reject the use of the SSN as a national identifier and to ensure 
the development of adequate privacy and security safeguard to address the growing 
crisis of identity theft.^ 

Social Security numbers have become a classic example of “mission creep,” where 
a program designed for a specific, limited purpose has been transformed for addi- 
tional, unintended purposes, some times with disastrous results. The pervasiveness 
of the SSN and its use to both identify and authenticate individuals threatens pri- 
vacy and financial security. Recent efforts to expand employment verification pro- 
grams based upon SSN identification would turn the SSN into a national identifier, 
subjecting Americans to a national tracking systems and also heightening the risks 
of identity theft. There are additional risks associated with some of the technological 
features that the proponents of an “upgraded” Social Security card have suggested. 
As the New York Times reported yesterday, RFID chips that are being added to 
identity cards including the U.S. passport, are apparently subject to computer vi- 


^EPIC maintains an archive of information about the SSN online at http://www.epic.org/pri- 
vacy/ssn/. 

2 See, e.g., Greidinger v. Davis, 988 F.2d 1344 (4th Cir. 1993) (“Since the passage of the Pri- 
vacy Act, an individual’s concern over his SSN’s confidentiality and misuse has become signifi- 
cantly more compelling”); Beacon Journal v. Akron, 70 Ohio St. 3d 605 (Ohio 1994) (“the high 
potential for fraud and victimization caused by the unchecked release of city employee SSNs 
outweighs the minimal information about governmental processes gained through the release of 
the SSNs”); Testimony of Marc Rotenberg, Executive Director, Electronic Privacy Information 
Center, at a Joint Hearing on Social Security Numbers and Identity Theft, Joint Hearing Before 
the House Financial Services Subcommittee on Oversight and Investigations and the House 
Ways and Means Subcommittee on Social Security (Nov. 8, 2001) available at http:// 
www.epic.org/privacy/ssn/testimony_ll_08_2001.html; Testimony of Chris Jay Hoofnagle, Legis- 
lative Counsel, EPIC, at a Joint Hearing on Preserving the Integrity of Social Security Numbers 
and Preventing Their Misuse by Terrorists and Identity Thieves Before the House Ways and 
Means Subcommittee on Social Security and the House Judiciary Subcommittee on Immigration, 
Border Security, and Claims (Sept. 19, 2002) available at http://www.epic.org/privacy/ssn/ 
ssntestimony 9.19.02.html. 

^ Testimony of Marc Rotenberg, President, Electronic Privacy Information Center, at a Hear- 
ing on H.R. 98, the “Illegal Immigration Enforcement and Social Security Protection Act of 
2005” before the House Judiciary Committee Subcommittee on Immigration, Border Security, 
and Claims (May 12, 2005) available at http://www.epic.org/privacy/ssn/51205.pdf. 
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ruses and other forms of attack.^ These risks associated with the expanded use of 
the Social Security Number and identification cards underscore the importance of 
the hearing today. 

History of SSN Use 

The Social Security Number (SSN) was created in 1936 for the purpose of admin- 
istering the Social Security laws. SSNs were intended solely to track workers’ con- 
tributions to the social security fund. Legislators and the public were immediately 
distrustful of such a tracking system, which can be used to index a vast amount 
of personal information and track the behavior of citizens. Public concern over the 
potential abuse of the SSN was so high that the first regulation issued by the new 
Social Security Board declared that the SSN was for the exclusive use of the Social 
Security system. 

Over time, however, legislation allowed the SSN to be used for purposes unrelated 
to the administration of the Social Security system. For example, in 1961 Congress 
authorized the Internal Revenue Service to use SSNs as taxpayer identification 
numbers. 

A major government report on privacy in 1973 outlined many of the concerns with 
the use and misuse of the Social Security Number that show a striking resemblance 
to the problems we face today. Although the term “identify theft” was not yet in 
use. Records Computers and the Rights of Citizens described the risks of a “Stand- 
ard Universal Identifier,” how the number was promoting invasive profiling, and 
that many of the uses were clearly inconsistent with the original purpose of the 
1936 Act. The report recommended several limitations on the use of the SSN and 
specifically said that legislation should be adopted “prohibiting use of an SSN, or 
any number represented as an SSN for promotional or commercial purposes.”® 

In enacting the landmark Privacy Act of 1974, Congress recognized the dangers 
of widespread use of SSNs as universal identifiers, and enacted provisions to limit 
the uses of the SSN. The Senate Committee report stated that the widespread use 
of SSNs as universal identifiers in the public and private sectors is “one of the most 
serious manifestations of privacy concerns in the Nation.” Short of prohibiting the 
use of the SSN outright. Section 7 of the Privacy Act provides that any agency re- 
questing an individual to disclose his SSN must “inform that individual whether 
that disclosure is mandatory or voluntary, by what statutory authority such number 
is solicited, and what uses will be made of it.” This provision attempts to limit the 
use of the number to only those purposes where there is clear legal authority to col- 
lect the SSN. It was hoped that citizens, fully informed that the disclosure was not 
required by law and facing no loss of opportunity in failing to provide the SSN, 
would be unlikely to provide an SSN and institutions would not pursue the SSN 
as a form of identification. 

The SSN as a National ID Number Erodes Privacy 

Contrary to the clear intent of the Privacy Act, legislation considered this term 
has proposed to build the SSN and the Social Security card into a national ID. H.R. 
98, for example, would create a de facto national identity card. Despite any dis- 
claimers that the card was not to be used for identification, employers required to 
verify the information on the card (which would bear a photograph and a machine- 
readable unique identifier) would likely rely upon these “fraud prevention meas- 
ures” as practical identification requirements. It is important to note that the SSN 
and its basic card are not intended to be used for authentication and identification 
purposes today, and yet far too many entities rely upon it for just those purposes. 
Adding the trappings of an identification document to it, including photographs and 
machine-readable technology, only reinforces the card’s status as a badge of identity. 

Furthermore, using the SSN for employment verification would necessarily re- 
quire the building of a vast database of nearly all people employed within the coun- 
try, which could be easily indexed and correlated with other databases via the SSN. 
It is precisely this use of the SSN that the drafters of the Privacy Act sought to 
prevent. H.R. 98 proposed that the database be available to Homeland Security for 
“any other purpose the Secretary of Homeland Security deems to be an the national 
security interests of the United States.” This vague clause perfectly illustrates “mis- 
sion creep,” and highlights the risk that a national database, based on SSNs, estab- 


^John Markoff, “Study Says Chips in ID Tags Are Vulnerable to Viruses,” New York Times, 
March 15. 2005. 

® “Records, Computers, and the Rights of Citizens,” Report of the Secretary’s Advisory Com- 
mittee on Automated Personal Data Systems, U.S. Department of Health, Education & Welfare 
125-35 (MIT 1973). 
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lished for one purpose could quickly be transformed into an open-ended system of 
national surveillance. 

A mandatory, national index of all people employed within the U.S. would allow 
the tracking of individuals on an unprecedented scale. Each person applying for a 
job would be subject to a status determination by a government agency with each 
application. In essence, a person’s life and livelihood would be determined by a data- 
base kept by the federal government — a database grounded in a flawed system of 
identification never intended for the purpose. 

Identity Theft 

Nor are the uses of a universal identifier limited to government uses. In fact, it 
is commercial enterprises that have made the SSN synon 3 Tnous with an individual’s 
identity. Despite the fact that the cards were never intended to be used for identi- 
fication purposes, they are considered the “keys to the kingdom” for records about 
individual consumers. 

The financial services sector, for instance, has created a system of files containing 
personal and financial information on nearly ninety percent of the American adult 
population, keyed to individuals’ SSNs. This information is sold and traded freely, 
with virtually no legal limitations. This widespread use, combined with lax 
verification procedures and aggressive credit marketing that lead to widespread 
identity theft. 

Credit grantors rely upon the SSN to authenticate a credit applicant’s identity; 
many cases of identity theft occur when thieves apply using a stolen SSN and their 
own name. Despite the fact that the names, addresses, or telephone numbers of the 
thief and victim do not match, accounts are opened and credit granted using only 
the SSN as a means of authentication. EPIC has detailed many of these cases in 
other testimony.® 

The root of this problem is that the SSN is used not only to tell the credit issuer 
who the applicant is, but also to verify the applicant’s identity. This would be like 
using the exact same series of characters as both the username and password on 
an email account. The fact that this practice provides little security should not be 
a surprise. 

The printing of SSNs on government-issued drivers licenses provided yet another 
opening for identity thieves. A thief who stole your wallet could also easily steal 
your identity, with name, address, diver’s license number, and SSN in one easy 
place. Congress recognized this threat and in the Intelligence Reform and Terrorism 
Prevention Act of 2004, prevented the printing of SSNs on drivers licenses and other 
government-issued ID.'^ 

International Experiences 

The debate on national identification cards is not restricted to the United States. 
Fierce debates have erupted in other countries over the adoption of national ID 
cards. The problems presented by such cards in the UK, France, and many other 
nations are the same problems that we would face here — convenient categorization 
of individuals’ records, to be used or abused by governments or those who obtain 
access to government records. 

The protests against the UK national ID cards are strong, and from esteemed 
sources such as the London School of Economics,® yet they address a system that 
is even less problematic than one that could use the SSN as a national ID. In the 
UK, for example, the national ID card would be a voluntary document. And in Ire- 
land, a proposal to establish national was recently rejected.® Here in the U.S., SSNs 
are most frequently assigned at birth. We would be putting in place a system man- 
dating ownership of a machine-readable photo ID, a step that other parts of the 


®See, e.g., TRW, Inc. v. Andrews, 534 U.S. 19 (2001) (Credit reporting agencies issued credit 
reports to identity thief based on SSN match despite address, birth date, and name discrep- 
ancies); Dimezza v. First USA Bank, Inc., 103 F. Supp.2d 1296 (D. N.M. 2000) (same). See also 
United States v. Peyton, 353 F.3d 1080 (9th Cir. 2003) (Credit issued based solely on SSN and 
name, despite clear location discrepancies); Aylward v. Fleet Bank, 122 F.3d 616 (8th Cir. 1997) 
(same); Vazquez-Garcia v. Trans Union De P.R., Inc., 222 F. Supp.2d 150 (D. P.R. 2002) (same). 

7 Pub. L. No. 108-408 §§7211-7214, 118 Stat. 3638, 3825-3832 (2004). 

® London School of Economics, The Identity Report: an assessment of the UK Identity Cards 
Bill and its implications (2005) at http://is2.lse.ac.uk/IDcard/identityreport.pdf. 

® EPIC prepares an extensive annual survey of international developments concerning privacy 
protection, including the debates over identity documents. See Privacy and Human Rights: An 
International Survey of Privacy Laws and Developments (EPIC 2004), available at http:// 
www.privacyintemational.org/article.shtml?cmd[347]=x-347-82586&als[theme]=Privacy%20 
and%20Human%20Rights&headline=PHR2004#_Toc396491834 (“Identity systems”). 
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world, even those less opposed to government interference in personal affairs, seem 
loath to take. 

Measures to Prevent Fraud 

The need to present such a card at every emplo 3 Tnent encounter, and possibly also 
for homeland security purposes, would also likely increase the need to carry the 
card on one’s person, rolling back the benefits achieved by taking the SSN off of 
driver’s licenses. The reason that the SSN can so easily be used for fraud is not that 
the card lacks anti-counterfeiting measures; it is the fact that the card is being used 
as an identifier in so many contexts that it should not be. Efforts to protect the SSN 
and its holders should therefore be focused upon limiting its uses and disclosures. 

Several states have, in recent years, established new privacy protections for SSNs. 
These laws demonstrate that major government and private sector entities can still 
operate in environments where disclosure and use of the SSN is limited. They also 
provide examples of protections that should be considered at the federal level. For 
example, Colorado, Arizona, and California all have laws that broadly restrict the 
disclosure and use of the SSN by both government and private actors. These laws 
encourage agencies and businesses to use different identifiers for their specific pur- 
poses, reducing the vulnerability that the disclosure of any one identifier may cre- 
ate. Arizona’s law also prohibits the printing of the SSN on material mailed to 
Arizona residents, reducing the threat of fraud from intercepted correspondence. 

Other states, including New York and West Virginia, have statutes that limit the 
use of the SSN as a student ID number.^i This reduces the vulnerability of students 
to identity theft and protecting the privacy of students whose personal information 
is collected in databases, and whose grades are often publicly posted, indexed by 
their student ID numbers. Similar laws exist in Arizona, Rhode Island, Wisconsin, 
and Kentucky. 

Congress and this Committee has likewise moved to protect the SSN; just this 
session, Chairman Shaw and many other members of this Committee introduced 
legislation that would have added protections on a federal level. We hope that the 
Committee will be able to act on these proposals this session 

These various proposals all tend towards limiting the uses of the SSN, in notable 
contrast to proposals that expand SSN uses and thus expand individuals’ vulner- 
ability. We therefore urge the Committee to regard cautiously any attempt to ex- 
pand the use of the SSN beyond its already overextended purposes. 

Conclusion 

The expanded use of the Social Security Number is fueling the increase in identity 
theft in the United States and placing the privacy of American citizens are great 
risk. The widespread use of the SSN has made it too easy for government agencies, 
businesses, and even criminals to create detailed profiles of individuals Americans. 
Congress wisely sought to limit the use of the Social Security Number when it 
passed the Privacy Act of 1974, and the states have since established additional 
safeguards. While new techniques may address some of the security and privacy 
issues associated with the expanded use of the Social Security card, it clear that 
these techniques also create new privacy and security risks. We urge the Committee 
to consider very carefully the high-risk issues associated with the use of the Social 
Security Number. Every system of identification is subject to error, misuse, and ex- 
ploitation. 


Attachment 

Inside Risks: Real ID, Real Trouble? 
by Marc Rotenberg 

According to the report of the 9/11 Commission, all but one of the 911 1 hijackers 
acquired some form of U.S. identification, some by fraud. Acquisition of these forms 
of identification would have assisted them in boarding commercial flights, renting 
cars, and other activities. As a result, the Commission and some lawmakers con- 
cluded it was necessary for the federal government to set technical standards for 
the issuance of birth certificates and sources of identification, such as driver’s li- 
censes. The result was the Real ID Act of 2005. 


“Colo. Rev. Stat § 24-72.3-102; Ariz. Rev. Stat. §44-1373; Cal. Civ. Code § 1798.85. 

IIN.Y. Educ. Law § 2-b; W. Va. Code Ann. § 18-2-5f. 

12 Ariz. Rev. Stat. § 15—1823; R.I. Gen. Laws § 16-38—5.1; Wis. Stat. Ann. §36.11(35); Ky. Rev. 
Stat. Ann. § 156.160. 
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The new law states that beginning in 2008, “a Federal agency may not accept, 
for any official purpose, a driver’s license or identification card issued by a State 
to any person unless the State is meeting the requirements of this section.” This 
means the Department of Homeland Security will issue the technical standards for 
the issuance of the state driver’s license. The practical impact, as CNET explained, 
is that “Starting three years from now, if you live or work in the United States, 
you’ll need a federally approved ID card to travel on an airplane, open a bank ac- 
count, collect Social Security payments, or take advantage of nearly any government 
service.” And even some of the more conservative commentators in the U.S. have 
expressed concerns about “mission creep.” 

Several objections have been raised about the plan, including privacy and cost, 
but the most significant concern may be security. As Bruce Schneier has explained, 
“The biggest risk of a national ID system is the database. Any national ID card as- 
sumes the existence of a national database . . . large databases always have errors 
and outdated information.” Even if the identity documents are maintained in the 
states, problems are likely. 

One example concerns the vulnerability of the state agencies that collect the per- 
sonal information used to produce the license. In 2005, the burglary of a Las Vegas 
Department of Motor Vehicles put thousands of driver’s license holders at risk for 
identity theft. The information of at least 8,738 license and ID card holders was sto- 
len, and reports of identity theft have already surfaced. Another report uncovered 
10 “license-for-bribe” schemes in state DMVs in 2004. 

Not surprisingly, the administrators of the state license systems are among those 
most concerned about the proposal. As the director of Driver Services in Iowa said, 
“It’s one thing to present a document; it’s another thing to accept the document as 
valid. Verifying digital record information is going to be difficult.” The National Con- 
ference of State Legislatures was more emphatic, “The Real ID Act would cause 
chaos and backlogs in thousands of state offices across the country, making the na- 
tion less secure.” 

The National Academy of Sciences anticipated many of these challenges in 2002, 
stating that the U.S. should carefully consider the goals of nationwide ID system: 
“The goals of a nationwide identification system should be clarified before any pro- 
posal moves forward. Proposals should be subject to strict public scrutiny and a 
thorough engineering review, because the social and economic costs of fixing an ID 
system after it is in place would be enormous.” 

The problems of building reliable systems for identification are not unique to the 
U.S. Many countries are confronting similar questions. In Great Britain, a national 
debate continues about the creation of a new identity card. The government con- 
tends the card is essential for combating crime, illegal immigration, and identity 
theft, and can be achieved for an operating cost of 584million pounds per year. But 
a report from the London School of Economics challenged a number of the govern- 
ment positions and a subsequent report found further problems with the ID plan. 

The U.K. group concluded, “ID requirements may actually make matters worse.” 
The LSE report cited a recent high-profile breach: “Even as cards are promised to 
be more secure, attacks become much more sophisticated. Most recently, Russian se- 
curity agents arrested policemen and civilians suspected of forging Kremlin security 
passes that guaranteed entrance to President Vladimir Putin’s offices.” 

Systems of identification remain central to many forms of security But designing 
secure systems that do not introduce new risks is proving more difficult than many 
policymakers had imagined. Perhaps it’s time for the proponents of expanded identi- 
fication systems to adopt the cautionary line from Hippocrates: “First, do no harm.” 


Marc Rotenberg (rotenberg@epic.org) is executive director of the Electronic Pri- 
vacy Information Center (EPIC) and the former director of the ACM Washington Of- 
fice: an expanded version of this column appears at www.epic.org. 


Chairman MCCRERY. Thank you, Mr. Rotenberg, and thank you 
all for providing excellent testimony and raising some good ques- 
tions and considerations as we try to sort our way through some- 
times conflicting national needs and the desires of our constituents 
and folks that are concerned about immigration, about illegal im- 
migration, and about terrorism. 
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We find ourselves kind of going in circles, it seems to me, as we 
talk about these issues. On the one hand, we all want to protect 
our border. We want to make sure that people are here legally and 
working legally, but we also recognize the dangers that Mr. 
Rotenberg and Dr. Kent pointed out of expanding the uses of the 
SSN and thereby increasing the opportunity for fraud. 

So, it is a complex question, and I appreciate the sunlight that 
you all have brought to this question. Let us assume for the mo- 
ment that we could make a card that is much more foolproof than 
the current card, and that would be very difficult to copy. Even if 
we had that, let us look at the question of employment eligibility 
and using that in employment eligibility, because several Members 
of Congress have already introduced proposals that would require 
employers to check a government database to confirm an employ- 
ee’s work authorization. 

Some of those proposals combine that with an enhanced SSN 
card that could be used to access the employment eligibility 
verification system. How effective do you all think such a system 
would be in preventing unauthorized noncitizens from illegally ob- 
taining employment? Would we get the desired result from the 
bucks that we expend to put that system in place? 

Mr. ROTENBERG. Well, one of the key issues, Mr. Chairman, in 
that question, and this is also addressed in the National Research 
Council report, concerns the quality of the underlying data. The 
proposal which you are referring to, which I think is H.R. 98, 
would try to, in effect, transform the SSN card into an identity doc- 
ument and enable employers to query a national database, which 
I believe would be maintained by DHS, to determine the eligibility 
of a person who is seeking employment in the United States. 

It is possible, certainly, to enhance the card through photographs 
and biometric means to make it into a quasi-identity document. I 
think it would raise privacy issues, but it would not resolve the 
question as to the accuracy of the underlying data. I think it is 
very easy to imagine, particularly with a lot of foreign names, that 
misspellings and mispronunciations could easily lead to errors in 
these systems. 

Now, that is not necessarily a reason not for doing it, but I think 
it does underscore the need to, as Dr. Kent said, look beyond the 
card and to establish this as a system problem and to understand 
whether or not those databases would support good decisions. 

Chairman MCCRERY. Let me just interject for a moment, be- 
cause we ought not too easily set aside these suggestions in today’s 
world of extremely capable technology. You have mentioned foreign 
names, and it is easy to get them mixed up. On a computer it is 
pretty specific. You have to type in exactly the right name. So, if 
you do that, and you send it to this database, it is not going to get 
confused; it is going to spit back exactly that name and whether 
it is authorized or not. So, I do not buy that. 

Do you have any other problems that you see with this system 
being able to correctly identify whether a person in this — I under- 
stand the underlying data may be wrong. I do not think we can 
ever fix that. Well, I do not think as a practical matter we can ever 
fix that. Assuming that the — well, never mind the underlying data; 
we can at least say whether the database has this person in it as 
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authorized to work, can’t we? It might be expensive, but we can do 
that, can we not? These gentlemen are nodding. Dr. Kent. 

Dr. KENT. Well, Mr. Chairman, one question that would come 
to mind immediately is whether everyone would be issued such a 
credential or only whether people who were immigrants were sup- 
posed to have such a credential. 

Chairman MCCRERY. That is a good question, and we will get 
to that. 

Dr. KENT. If we assume that only people who were immigrants 
are supposed to have it, then the burden, I would assume, on the 
employer is to make an initial determination of whether or not 
somebody applying for a job is or is not a citizen. Then the question 
is what existing credentials do they use for that purpose? 

If I have to present a birth certificate, then, we encounter all of 
the residual vulnerabilities associated with birth certificate forgery 
when people do not go to the extent that the earlier witnesses testi- 
fied that you can do if you are working hard in a forensic case to 
deal with fraud or something like that, which the average employer 
would not be able to do. 

So, there are a lot of questions we would have to answer to really 
be able to determine that. 

Chairman MCCRERY. Admittedly, people could find ways to fab- 
ricate authentication and thereby get on the database as an au- 
thorized worker. Would this system reduce the likelihood that 
somebody could get a job in the country if that person were here 
illegally and unauthorized to work? 

Dr. !^NT. It is hard to say 

Chairman MCCRERY. Sure. 

Dr. KENT. — without looking at all the details, but 

Chairman MCCRERY. The next question is how much would it 
reduce it? 

Dr. KENT. Yes. 

Chairman MCCRERY. That is an easy question to answer. Sure 
it would, but would the bang for the buck be worth it? That is the 
real question. 

Dr. KENT. I think that is where an extensive study needs to be 
undertaken to try to predict whether or not you would be getting, 
as you say, good bang for the buck out of such a system. 

Chairman MCCRERY. Mr. O’Carroll, Mr. Outland, do you have 
thoughts on this? 

Mr. O’CARROLL. Yes, Mr. Chairman, it’s sort of a twofold ques- 
tion, the first part asking in terms of designing a card that would 
be tamper-resistant, difficult to counterfeit, whatever. 

What we are finding is basically anything that has been engi- 
neered can be reengineered, and that is kind of our take on any 
of the expense that would go into coming up with a more counter- 
feit-proof card. It is really going to be pretty difficult, and the re- 
sult on it is probably not going to be as good as one would hope. 

So, what we are kind of in agreement with you on is that it is 
the underlying data that is the most important. Right now, what 
Social Security is using with DHS as the basic pilot, the SSA is 
verifying the SSN. The DHS is verifying the work status on it. 
There are other documents the employer can ask for, as an exam- 
ple, a DHS 1-9. They are running the SSN. They are getting a 
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verification back on it, and we are finding that that type of infor- 
mation is going to be much more current than anything you could 
embed on a card that is going to keep requiring people to come 
back to have their cards updated and information like that, which 
is a whole other workload, assuming that we could come up with 
a tamper-proof card. 

Rick? 

Mr. OUTLAND. Yes, Congressman, adding a photograph or a 
machine readable technology to the current card would obviously 
include changing the substrate from the banknote paper to a plas- 
tic substrate, say a polycarbonate or even a Teslin. 

Now, while I have seen counterfeit documents produced on driv- 
er’s licenses on Teslin and PVC, there are security features that 
are available that will make it more difficult for the counterfeiter 
to reproduce those. So, I agree with you. It can be done. You can 
produce a more difficult card. Given the document as it is right 
now on banknote paper, there are security features that can be 
added to that today at a nominal cost to also make it 

Chairman MCCRERY. Yes, a $10 bill, for example. 

Mr. OUTLAND. Correct. 

Chairman MCCRERY. We have just done it. I saw one the other 
day. It is very weird looking. 

[Laughter.] 

Chairman MCCRERY. I suppose it is better. 

Mr. OUTLAND. Yes. 

Chairman MCCRERY. Well, I want to give — ^you heard that. 
That is the House Democratic Cloakroom advising Republicans and 
Democrats we have votes. 

[Laughter.] 

Mr. LEVIN. You can stay if you want. 

[Laughter.] 

Chairman MCCRERY. I am going to yield. I have more ques- 
tions, but I am going to yield to my good friend and colleague from 
Michigan, Mr. Levin, for any questions he might have. 

Mr. LEVIN. Just a few, and then, I guess — mayhe I will be very 
brief so Mr. Pomeroy can — the more I hear of this, in a sense the 
more confusing it is, though you are very articulate. It is not very — 
it is not clear to me what the issues really are. I take it there are 
numbers of citizens in the United States, of the United States, who 
do not have a SSN. 

Mr. STRECKEWALD. There are — I am sorry, there are many, 
did you say? I could not quite hear you. 

Mr. LEVIN. There are many. 

Mr. STRECKEWALD. We do not believe there are too many peo- 
ple, citizens of the United States that do not have a Social Security 
card, because most parents get them right away for their newborn 
babies for tax purposes, and everybody else has one for work and 
for Social Security purposes. 

Mr. LEVIN. Before that started, I take it there are some people 
here, citizens, who do not have a SSN, maybe older people, right? 

Mr. STRECKEWALD. Well, most of our elderly, at one point or 
another, came into our offices to get benefits. Even those that did 
not work, there were some early provisions in Social Security for 
spouses’ benefits if they did not work which still exist today. There 
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were some for Medicare. So, I believe that you would find that most 
elderly citizens 

Mr. LEVIN. Most. 

Mr. STRECKEWALD. —have SSNs, if not all. 

Mr. LEVIN. If we had an ID program, it would mean that there 
would be people who would not otherwise seek a SSN who would 
have to become participants in the program, right? 

Mr. STRECKEWALD. Yes; I think what I hear you saying is, if 
we decided to issue a new card, there would be some people who 
normally would not be coming in to get a card, and we would not 
see them, because they are perfectly fine. Right now they do not 
need to show their card. They are retired or whatever. If they were 
asked to come in and get a new card, we would see a lot more peo- 
ple than we normally see for the general replacement card traffic. 

Mr. LEVIN. Okay; secondly, if there were not an issue in this 
country about people who are working here, who are not here le- 
gally, would there be this issue of a national ID card? You are not 
sure. 

Mr. STRECKEWALD. At Social Security, from that perspective, 
I am not sure. I would defer to the investigators and the experts 
at the table. 

Mr. LEVIN. Well, maybe you do not want to answer that. 

[Laughter.] 

Mr. LEVIN. It is okay. The next thing that is rather confusing 
is that part of the problem seems to be that a lot of employers do 
not want to check the status, legal or illegal. Is that not true? Yes, 
it is true. 

Mr. STRECKEWALD. I mean, in our experience, I think, the In- 
spector General’s experience, that is definitely true. 

Mr. LEVIN. So, if we have a card, it does not matter what you 
call it, it does not get at the issue of whether we are going to have 
an effective system of requirement when there is a larger issue as 
to whether or not people want to accurately and effectively check 
the status of people, right? 

Mr. STRECKEWALD. Eor things to change from where they are 
now, there would probably have to be more enforcement on that 
part of the process; that they would have to check it and verify it. 

Mr. LEVIN. Just to finish, let us say we had an ID card today, 
and we had a system that any employer who did not verify and use 
the system, punch into the computer would be guilty of a high mis- 
demeanor, let us say, for example — I assume that would be a some- 
what controversial proposition, would it not? 

Mr. O’CARROLL. Yes, I would agree, because as it stands now, 
there are laws requiring employers to verify SSNs and provide 
valid numbers, and employers do not. There has not been very 
much enforcement done on that. 

Mr. LEVIN. Thank you. 

Chairman MCCRERY. Mr. Pomeroy. 

Mr. POMEROY. Thank you, Mr. Chairman. I will be brief 
Thank you for putting together this hearing, and the very inter- 
esting panel that majority staff selected has really done a nice job 
here of collecting a range of views on the proposal. 
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When I was in the State Legislature, now 25 years ago, we 
passed a law that the North Dakota driver’s license number is the 
SSN. It was simple, easy, everyone remembers. 

They changed that law. They really, upon further reflection, we 
really did not want Social Security kind of being a national ID, a 
national identifier; privacy today, privacy issues, identity theft 
issues, lots of things led the legislature to correctly, in my view, 
make that change. 

I do think this issue presents in front of us very squarely, this 
would be moving the Social Security card to a national ID card. 
Now, whether or not that is the full intent of the proposal, I think 
that that is the effect of it. I have concerns about it in that respect, 
and I think that the panel has given voice to some of the reasons 
why one might want to think twice about that. 

Another concern I have got is budgetary. This $9 billion cost of 
implementation is advanced at a time when the Administration has 
proposed changes in Social Security that would kick out of eligi- 
bility for survivors’ benefits 16- and 17-year-olds. When my father 
died, I was 19, but I got benefits all the way through college. That 
was pre-1983. In 1983, we limited it to the 18th year. 

I think depriving Social Security benefits to someone 16 is just 
wrong, absolutely wrong. If we cannot afford to pay 16-year-olds 
when they lose their Dad, I do not think we can afford $9 billion 
in these fancy cards; simple as that. 

So, I have got some very deep reservations about this proposal. 
I thank the Chairman for letting me express them. I yield back. 

Chairman MCCRERY. Thank you, Mr. Pomeroy. Gentlemen, we 
are going to have some other questions that we would like to sub- 
mit to you in writing if that is okay, and that would allow you to 
leave when we recess in just a few minutes and not just hang 
around, because we are going to have votes until at least noon, it 
looks like. 

However, I do want to point out to Mr. Pomeroy my observation 
that what some are proposing and what we are discussing here 
today is an enhanced SSN card, and then using that for purposes 
of employment verification or work authorization verification. I do 
not view that as a national ID card. I do not think it would be tan- 
tamount to a national ID card necessarily, because unlike, say, a 
driver’s license, which we have to carry on our person if we drive 
or if we want to cash a check or whatever, one would not have to 
carry their Social Security card. 

Only when he is applying for employment would he have to get 
it out of his safe in his house, or his drawer, or whatever, and take 
it down to that place of employment and say “here.” Then, once 
that is done, he takes it back, and puts it back in his house in a 
safe place under his underwear or whatever. 

[Laughter.] 

Unless he is burglarized, his SSN is safe with him, just as safe 
as it is today, where the employer has to have it in any event; he 
does not have to see the card, but he has to have that number. 

So, I think it is perhaps a bit of a jump to equate what we are 
talking about today with a national ID card and all of the ramifica- 
tions of that. Would you disagree with my observations? 
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Mr. POMEROY. I think you make your point well, but my 
thought is in the end, if you need this identification card before you 
can get a job that we have taken a big step toward a national ID 
card concept, I think. I also do not know about, well, what other — 
unless we prohibit it in the legislation itself, what other groups 
may require the use of this particular card, because it would 
have — it would be the most advanced card in the marketplace, 
what other groups might require it for other purposes unless, 
again, we restrict it. 

Chairman MCCRERY. Yes, well, that is a potential problem, but 
anyway, this is an interesting subject and an important subject, so 
I thank the witnesses very much for your testimony, and if you all 
have any thoughts on what I and Mr. Pomeroy just talked about, 
feel free to include those in your responses to written questions. 
Thank you very much. The hearing will be in recess until votes are 
concluded and we can muster the first panel. 

[Recess.] 

Chairman MCCRERY. The Committee will come to order. The 
hearing is adjourned. 

[Whereupon, at 10:48 a.m., the hearing was adjourned.] 

[Questions submitted by Chairman McCrery to the Honorable Jo 
Anne B. Barnhart and her responses follow:] 

Question: If Congress were to require employers to verify an employee’s 
name, SSN, and employment eligibility through a government database, 
would we still need to enhance the SSN card to prevent unauthorized work 
hy non-citizens? Would some form of identification, (e.g., a driver’s license 
or immigration card from the U.S. Department of Homeland Security) plus 
confirmation from the system he enough to identify individuals who do not 
have authorization to work in the United States? How much value would 
an enhanced SSN card add to such a system? 

Answer: By using the Basic Pilot or a similar government database which ac- 
cesses the Department of Homeland Security’s (DHS) work authorization informa- 
tion, employers have access to the most current work authorization data available, 
because DHS’ work authorization data is more current than the information on the 
Social Security number (SSN) card. Therefore, requiring employers to verify employ- 
ees’ work authorization through such a database, would render the SSN card, en- 
hanced or not, of little additional value in proving current work authorization. 

To address the issue of identity, employers would still need to verify an employ- 
ee’s identity by examining an identity document listed on the Form 1-9 and be alert 
for identity fraud situations. The Social Security card itself was never intended and 
does not serve as a personal identification document; that is, the card does not es- 
tablish that the person presenting the card is actually the person whose name and 
SSN appear on the card. 

Question: In his testimony, Mr. Streckewald said that replacing cards for 
240 million cardholders nationwide would cost approximately $9.5 hillion. 
How much would it cost if the agency issues new cards only to people in 
the workforce? What are your thoughts on allowing the SSA to charge a fee 
to offset some or all of those costs — what are the arguments for and against 
such an option? 

Answer: Last year we estimated a card with enhanced security features, such as 
biometric identifiers, would cost approximately $25.00 per card. This estimate does 
not include the startup investments associated with the purchase of equipment 
needed to produce and issue such a card. Based on this information, our most recent 
5-year estimate regarding the issuance of new enhanced cards to 170 million current 
workers and 5 million new workers annually is approximately $6.7 billion to replace 
the cards within 5 years and $7.4 billion to replace the cards within 2 years. This 
estimate includes all startup and ongoing costs. 

More recent data, however, shows that the cost of issuing Social Security cards 
has increased by at least $3.00, due, in part, to new requirements for verification 
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of evidence. We will update our estimate when we have accumulated sufficient base- 
line data. In addition, when formulating an estimate based on a particular proposal, 
we would have to consider the details of the proposal, including the type of card 
enhancements required and the amount of time given to issue the enhanced card. 

Finally, charging a fee for issuing these new Social Security cards, while ulti- 
mately a policy decision, would result in significant additional costs for the Social 
Security Administration (SSA). It would involve explaining and collecting the fee, 
obtaining credit card authorization if necessary, entering remittance of the payment 
into an automated system, and issuing a receipt of payment. In addition, charging 
a fee would involve SSA periodically setting a fee schedule and reconciling these off- 
setting collections. All of these actions would result in a considerable increase in the 
cost of issuing a Social Security card. 

Question: What would be the effect on SSA’s workloads of issuing en- 
hanced SSN cards to everybody who is seeking employment in the United 
States? How many employees would it require to process the workload? 

Answer: Issuing new enhanced cards to everyone seeking employment in the 
United States would have a significant impact on SSA’s workloads until all individ- 
uals in the workforce have been issued a new card. We estimate that the initial 
workload would require about 13,000 additional employees. This equates to approxi- 
mately 20 percent of SSA’s current workforce. Absorbing this work without addi- 
tional staff would require a reduction of 20 percent of the work we currently proc- 
ess, including retirement claims, disability claims and eligibility reviews. This esti- 
mate does not reflect the increased time our employees must spend with Social Se- 
curity card applicants due to the new requirements for verification of documents 
which began in December 2005. We anticipate our workforce requirement would in- 
crease as a result of this recent change, but we need to develop a longitudinal base- 
line of actual data before revising our estimates. 

Question: Another witness at the hearing, Dr. Kent, stated that “layering 
even the best current security on top of old data only gives the old data 
an appearance of being more trustworthy.” Is the SSN system a good data- 
base upon which to build an employment authorization card? What 
changes, if any, would need to be made to the SSA’s data to provide reli- 
able validation of identity and employment authorization? 

Answer: Social Security’s databases do not contain current information about em- 
ployment eligibility, because there is no SSA program need to maintain such infor- 
mation. SSA is able to verify current work authorization only when SSA records re- 
flect that the individual is a U.S. citizen, because U.S. citizens have permanent 
work authorization. For all non-citizens, SSA’s databases contain only a “snapshot 
in time” of employment eligibility as of the date the SSN card was issued. SSA’s 
records are updated only when a non-citizen submits a new application requesting 
a change to the information in his or her record and provides evidence supporting 
the change. Therefore, DHS’ work authorization data is the only reliable source for 
validating the current employment eligibility of non-citizens. 

We believe an employment eligibility verification system, such as the current 
Basic Pilot, is the best tool for employers to verify employees’ current work author- 
ization status. Such a system uses the data contained in SSA and DHS databases 
in a way that allows each agency to maintain only the data necessary for the admin- 
istration of their respective programs. As a result, each agency is able to focus on 
its own business processes, including the collection, integrity and accuracy of certain 
information. If these databases were to be combined, one agency would be burdened 
with the management of data which it does not collect, cannot verify and which is 
not related to its business purposes. 

In addition, a combined database would be less accurate than two separate data- 
bases since combining the data would involve transmitting updated information 
from the source data base. At any point in time, some data on the combined data- 
base would be out of sync with the source database that contains the most current 
information. 

Finally, we note that an essential component of any employment verification sys- 
tem is to confirm the identity of the individual seeking employment verification. 
SSA databases do not contain identity information and, thus, are not suited to this 
critical function. 

Question: Currently the SSA issues a special series of SSNs to non-citi- 
zens who are assigned SSNs through the “enumeration-at-entry” program. 
If the SSA were to dedicate a special series of SSNs to individuals who 
have no authorization to work, or only temporary authorization to work. 
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at the time the SSN is issued, would that help employers identify non-citi- 
zens who are unauthorized to work in the United States? 

Answer: SSA has considered using special series numbers for temporary non-cit- 
izen workers and those non-citizens admitted without work authorization. Our anal- 
ysis showed that a special series for temporary workers would be of limited value 
in providing meaningful work authorization information to employers because immi- 
gration and authorization to work status may expire, be renewed or changed to an- 
other status by DHS. Thus, employers looking at a card or SSN with a special series 
designated for temporary workers would still need to verify current work authoriza- 
tion. 

Other concerns to be considered with numbers that identify certain categories of 
non-citizens include the following: 

• Providing new, special series SSNs for all aliens in the United States who have 
no work authorization or temporary work authorization, and who have already 
been issued an SSN, would present a staggering workload for SSA. 

• SSA would also be required to assign new SSNs to non-citizens when their im- 
migration status changes. The volume of new SSNs which would be required 
to assign multiple numbers to many non-citizens would create a number of 
issues, including: 

• Running out of numbers. (SSA currently has enough SSNs for nearly 70 
years. Assigning multiple numbers to non-citizens would require setting 
aside large blocks of numbers, which would significantly deplete the supply 
of SSNs available to citizens.) 

• Complex cross-referencing of multiple numbers by SSA and all other gov- 
ernmental and non-governmental agencies that use the SSN. 

Question: If Congress were to require the SSA to record information on 
when a temporary immi^ant’s authorization to work in the United States 
expired as part of its voluntary SSN verification services, would that help 
employers identify non-citizens who are unauthorized to work in the 
United States? 

Answer: In keeping with DHS’ mission and authority, DHS has the most current 
information on immigration and work authorization status. We believe that giving 
employers access to DHS’ work authorization data, through an employment eligi- 
bility verification system such as the Basic Pilot, would be the most accurate way 
for an employer to determine an employee’s current work authorization status. 

While such information might be helpful to employers, requiring SSA to maintain 
such information would be problematic. Maintaining work authorization expiration 
information in SSA’s records would expand SSA’s mission to include a business pur- 
pose that would concurrently fall under the purview of DHS. Even if SSA were re- 
quired to maintain such information in its records, SSA would not be responsible 
for granting work authorization status or determining the duration of such status. 
Therefore, SSA would be unable to respond to employer questions or to resolve 
issues related to the verification of that information. 

[Questions submitted by Chairman McCrery to the Honorable Patrick P. O’Carroll 
and his responses follow:] 

Question: Is there such a thing as a counterfeit proof card? How would 
you define a minimum threshold for a counterfeit and tamper “resistant” 
card? 

Answer: We do not believe there is such a thing as a perfectly counterfeit-proof 
Social Security card. Certainly, with each new security feature, the card would be 
more tamper-resistant. However, we are uncertain as to whether trying to make the 
card more counterfeit-resistant is worth the costs of improving and reissuing such 
cards. 

As a person ages, there are modifications in appearance such as weight gain or 
loss, changes in hair and facial appearance, and so on. Because of this, photographs 
often are not as reliable as other biometric alternatives. We believe that digitized 
fingerprints would be more reliable than photographs as scientific data suggests 
that a person’s fingerprints do not substantially change after age 3. In addition, new 
photographs would need to be taken periodically to stay current with an individual’s 
physiological changes. We also are concerned about the effect on SSA’s Enumeration 
at Birth program of requiring such a card. 

The Social Security Administration (SSA) will need sufficient time to design an 
enhanced card. It will need to determine which biometric features are to be cap- 
tured, ensure proper data linkage with the Department of Homeland Security, and 
issue the new card to tens of millions of individuals. This will create a significant 
administrative and cost burden for SSA. A more viable alternative might be to issue 
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the new card only to new applicants, to those current number holders who apply 
for benefits in the future, and to those current number holders who request the new 
biometric card. 

If the Social Security card is machine readable, then other public and private sec- 
tor entities will need to procure equipment that can read the biometrics on the new 
cards. The costs to these entities, in terms of equipment and training, would need 
to be considered. 

Question: There is much concern that non-citizens who are unauthorized 
to work are using counterfeit SSN cards and false or stolen SSNs in order 
to illegally gain employment in the United States. Is it the SSNs them- 
selves, or SSN cards, that are most often used in connection with unauthor- 
ized employment? 

Answer: Under current law, the SSN card is not a required document when an 
individual is applying for a job. If an applicant submits an SSN card to an employer, 
that employer may not identify a counterfeit card. Whether or not the employer 
views the actual SSN card, real-time verification with SSA of the name and SSN 
the applicant provides could assist in preventing theft of an individual’s SSN or use 
of a false number. In addition, active deterrence, in the form of possible apprehen- 
sion for false use of an SSN, would further decrease SSN misuse. 

Although we do not capture this specific information about SSN misuse in our 
case management system, it has been the experience of our investigators that SSNs 
themselves, rather than Social Security cards, are most often used in connection 
with unauthorized employment. 

Question: In your testimony, you said that your prior audit work has re- 
vealed inaccuracies in the SSA’s SSN database that could affect the Agen- 
cy’s ability to provide employment eligibility verification services. Could 
you elaborate on what you found? 

Answer: In our audit Compliance with Policies and Procedures When Processing 
Noncitizen Social Security Number Applications at Foreign Service Posts (A-08-04- 
14060, August 30, 2004), we found that SSA personnel classified 12 percent of the 
applicants enumerated at Foreign Service posts during our audit period as nonciti- 
zens, even though documents provided by the applicants showed them to be United 
States citizens. For these cases, the SSA employee recorded that United States citi- 
zens born abroad were noncitizens. We have additional audits that have identified 
similar issues. However, we have not performed a review of the overall accuracy of 
SSA’s enumeration database. We do have a review ongoing in this area and will re- 
port the results when we have completed our review. 

[Questions submitted by Chairman McCrery to the Dr. Peter Blair of the National 
Research Council and his responses follow:] 

Question: Dr. Kent stated in his testimony that there are almost always 
forces that push identification systems to be used in ways for which they 
were not originally designed or intended. What do you think could be some 
of the unintended consequences of adding identity information, such as a 
photograph or other biometric information, to SSN cards? 

Answer: The general issue of unintended consequences from the deployment of 
any large-scale identity system is described in the reports that Dr. Kent cited in his 
earlier testimony. Absent strong technical and policy countermeasures and disincen- 
tives, the use of an ID card, ID number, or ID system can expand greatly, just as 
has happened with the SSN and the state driver’s license. Potential unplanned-for 
uses depend in part on the purpose of the system, what information is contained 
in any related databases, and what possession of an ID is meant to signify. Adding 
biometric information to the ID system implies another level of complexity with all 
of the attendant challenges surrounding enrollment, capture of biometric informa- 
tion, reliability, accuracy, and so on. To the extent that an ID system is made reli- 
able and accurate, it is that much more tempting a target for attacks or simply for 
uses for which it was not designed. Predicting what specific secondary uses might 
arise for any particular ID system is difficult absent a more complete description 
of that system. 

Question: If the role of the SSN eard was expanded so that it provided 
proof of identity, would it become a more desirable target for identity 
thieves or others who seek to commit crimes using the SSN? Would the po- 
tential damage that could be done if an SSN is stolen by greater? How 
could we protect individuals, businesses, and the government against this? 

Answer: To the extent that an expanded SSN card becomes more valuable — in 
this case “proof’ of identity would be a valuable commodity — the more likely it is 
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to be a target for identity thieves as they seek to take advantage of the new 
functionality. Increasing the value of the SSN card might also raise its profile, even 
apart from any new credentialing that it could offer, and thus increase the fre- 
quency with which it is a target of traditional sorts of identity theft and fraud. Iden- 
tity theft is already a major challenge by virtue of the link between the SSN and 
other readily available types of personal information and access to credit. Finding 
ways to cut these links so that identity credentials in one system cannot be easily 
used in another might offer some protection. On the other hand, this could insert 
friction and decrease efficiency of some transactions. 

Question: What documents available today should employers use to verify 
the identity of their employees? 

Answer: Our reports do not address this question specifically. To the extent that 
employers need to use an ad hoc or formalized identity system when hiring, ques- 
tions that would help guide the choice of documents to use include: what specific 
problems need to be addressed (in this case, presumably, establishing work eligi- 
bility), what is the extent of the problem (affording some sense of costs and bene- 
fits), how could a particular identity system address that problem, and what other 
solutions (apart from a formalized new identity system) might address the problem? 

Question: How would you define a national identification system? If Con- 
gress were to add certain features to the SSN card, such as a photo or 
other biometric information, and to require its use to obtain employment, 
do you think it would meet that definition? 

Answer: Our reports do not draw a clear distinction because any large-scale iden- 
tify system poses numerous challenges and policy questions that must be addressed. 
For some systems, such as those deployed only to allow access to a particular busi- 
ness building for example, the scope and scale is fairly limited and the policy issues 
are primarily specific to that business or that location. However, in any system that 
is deployed to encompass large portions of the population for more general purposes 
much more rigor and attention to the questions outlined in IDs — Not That Easy are 
needed. In this sense, then, there are already several nationwide identity systems, 
each serving different purposes, including passports, driver licenses, and present- 
day SSN cards/numbers. In short, changing the SSN card’s features and 
functionality would create a national identification system much as the existing sys- 
tems listed above have, but the label is much less important than is sorting through 
the policy and technical challenges of any large-scale identity system. 

Question: Members of Congress have introduced proposals that would re- 
quire millions of employers across the United States to access an employ- 
ment eligibility verification database operated by the government. What 
concerns would you have about the privacy and security of such a data- 
base? What is the track record on maintaining the security of such a data- 
base? 

Answer: Such a database would presumably be one element of a large-scale iden- 
tity system and all of the issues raised in our two reports would apply. Securing 
the database is only part of the challenge. Depending on the purposes of the system 
and the specific content of the database, such a database could be an extremely 
high-value target for a wide variety of people ranging from tax avoiders to identity 
thieves to national security risks. Just as with a state driver’s license system, the 
value of this database as a target will be dependent on what value the credential 
offers; the more things the credential is useful for, the higher value target the data- 
base is likely to be. 

An early question to ask is how is membership in the database ascertained and 
verified? That is, what process determines whether an individual is eligible to work? 
Then, additional questions include: What individuals, organizations, and institutions 
would have legitimate access to the database? How would that access be facilitated? 
Who would verify the legitimacy of these individuals, organizations, and institu- 
tions? What opportunities for redress would there be if erroneous data ends up in 
the database? Where would liability for mistakes reside? All of these points, and 
many others, introduce various sorts of privacy and security vulnerabilities into the 
system. And, experience suggests that even applying the best security and privacy 
protections available will not protect against so-called “social engineering” attacks 
or hacks (such as bribes). That said, protection against attacks is only one part of 
the challenge. Having policies, procedures, and technical capabilities in place to dis- 
cover that an attack has taken or is taking place as well as procedures in place to 
respond effectively is also critically important. Virtually any large, valuable data- 
base will be the target of some kind of attack and no such database can be 100% 
secure; therefore clearly thinking through how to respond in the event of an attack. 
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disclosure, or simple failure is a key component of building secure and reliable sys- 
tems. 


[Submissions for the record follow:] 


Severn Trent Services 
Colmar, Pennsylvania 18915 
March 27, 2006 

The Honorable Bill Thomas 
Chairman 

Committee on Ways and Means 
U.S. House of Representatives 
Washington, D.C. 20515 

Dear Chairman Thomas: 


I am writing on behalf of our company in support of H.R. 1708, the Clean Water 
Investment and Infrastructure Security Act. Severn Trent Services has a global 
presence and is a $600 million business employing 2,350 personnel providing water 
and wastewater equipment and services to communities and industrial customers 
around the world. The company’s broad range of products and services is con- 
centrated around disinfection, instrumentation, and filtration technologies, pipeline 
analysis, rehabilitation and repair services, contract operating services and state-of- 
the-art residential metering products and services. Severn Trent Services is a mem- 
ber of the Severn Trent Pic (London: SVT.L) group of companies. An international 
environmental services leader, Severn Trent is a FTSE 100 company. 

We should all be concerned about the deteriorating state of our nation’s water and 
wastewater infrastructure. Nearly $1 trillion dollars need to be invested over the 
next 20 years to repair, rehabilitate, replace and upgrade our nation’s network of 
water and wastewater treatment plants, collection systems and distribution lines. 
Failure to stem this looming crisis will cause significant public health and economic 
harm to our country. 

H.R. 1708 will allow communities across the nation to partner with the private 
sector in funding critical water infrastructure activities by removing water and 
wastewater projects from the state volume caps for private activity bonds. This is 
the least expensive option for addressing a growing national crisis and ensuring 
that all Americans are guaranteed a safe, reliable water infrastructure system. We 
urge Congress to move expeditiously on this proposal and thank you for your leader- 
ship in this matter. 

Sincerely, 


Steve Hinkle 
Credit Manager 
Michael P. Isabell 
Business Unit Manager 
Linda D. Slack 
Administative Assistant 
Nadia Abbott 
Marketing Manager 
Barbara Ferns 
Principal Electrochlorination Engineer 
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